b"Audit Report\n\n\n\n\nOIG-09-045\nReport on Controls Placed In Operation and Tests of Operating\nEffectiveness for the Bureau of the Public Debt\xe2\x80\x99s Administrative\nResource Center for the Period July 1, 2008 to June 30, 2009\nAugust 28, 2009\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                       DEPARTMENT OF THE TREASURY\n                                             W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                                August 28, 2009\n\n\n            MEMORANDUM FOR VAN ZECK, COMMISSIONER\n                           BUREAU OF THE PUBLIC DEBT\n\n            FROM:                   Michael Fitzgerald\n                                    Director, Financial Audits\n\n            SUBJECT:                Report on Controls Placed in Operation and Tests\n                                    of Operating Effectiveness for the Bureau of the\n                                    Public Debt\xe2\x80\x99s Administrative Resource Center\n                                    for the Period July 1, 2008 to June 30, 2009\n\n\n            I am pleased to transmit the attached Report on Controls Placed in Operation and\n            Tests of Operating Effectiveness for the Bureau of the Public Debt\xe2\x80\x99s (BPD)\n            Administrative Resource Center for the period July 1, 2008 to June 30, 2009.\n            Under a contract monitored by the Office of Inspector General, KPMG LLP, an\n            independent certified public accounting firm, performed an examination of the\n            accounting processing and general computer controls related to certain services\n            provided by BPD\xe2\x80\x99s Administrative Resource Center to various Federal Government\n            agencies (Customer Agencies) for the period July 1, 2008 to June 30, 2009. The\n            contract required that the examination be performed in accordance with generally\n            accepted government auditing standards and the American Institute of Certified\n            Public Accountants\xe2\x80\x99 Statement on Auditing Standards Number 70, Reports on the\n            Processing of Transactions by Service Organizations, as amended.\n\n            The following reports, prepared by KPMG LLP, are incorporated in the attachment:\n\n                    \xe2\x80\xa2   Independent Service Auditors\xe2\x80\x99 Report; and\n                    \xe2\x80\xa2   Independent Auditors\xe2\x80\x99 Report on Compliance with Laws and Regulations.\n\n            In its examination of the BPD\xe2\x80\x99s Administrative Resource Center, KPMG LLP found:\n\n                \xe2\x80\xa2   the Description of Controls Provided by the BPD presents fairly, in all material\n                    respects, the relevant aspects of BPD\xe2\x80\x99s controls that had been placed in\n                    operation as of June 30, 2009,\n                \xe2\x80\xa2   that these controls are suitably designed to provide reasonable assurance that\n                    the specified control objectives would be achieved if the described controls\n                    were complied with satisfactorily and Customer Agencies and sub-service\n                    organizations applied the controls contemplated in the design of BPD\xe2\x80\x99s\n                    controls,\n\x0cPage 2\n\n\n   \xe2\x80\xa2   that the controls tested were operating with sufficient effectiveness to\n       provide reasonable, but not absolute, assurance that the control objectives\n       were achieved during the period from July 1, 2008 to June 30, 2009, and\n   \xe2\x80\xa2   no instances of reportable noncompliance with laws and regulations tested.\n\nIn connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s reports and related\ndocumentation and inquired of its representatives. Our review, as differentiated\nfrom an audit in accordance with generally accepted government auditing standards,\nwas not intended to enable us to express, and we do not express, an opinion on\nBPD's description of controls, the suitability of the design of these controls and the\noperating effectiveness of controls tested or a conclusion on compliance with laws\nand regulations. KPMG LLP is responsible for the attached auditors\xe2\x80\x99 reports dated\nAugust 27, 2009 and the conclusions expressed in the reports. However, our\nreview disclosed no instances where KPMG LLP did not comply, in all material\nrespects, with generally accepted government auditing standards.\n\nShould you have any questions, please contact me at (202) 927-5789, or a member\nof your staff may contact Mark S. Levitt, Manager, Financial Audits at\n(202) 927-5076.\n\nAttachment\n\x0c     U.S. Department of the Treasury\n        Bureau of the Public Debt\n\n\n\n     Administrative Resource Center\n     Financial Management Services\n       Accounting Processing and\n       General Computer Controls\n\n\n\n\nReport on Controls Placed in Operation and\n      Tests of Operating Effectiveness\nFor the Period July 1, 2008 to June 30, 2009\n\x0c                                     U.S. DEPARTMENT OF THE TREASURY\n                                         BUREAU OF THE PUBLIC DEBT\n                                     ADMINISTRATIVE RESOURCE CENTER\n                                     FINANCIAL MANAGEMENT SERVICES\n\n                        REPORT ON CONTROLS PLACED IN OPERATION AND\n                             TESTS OF OPERATING EFFECTIVENESS\n\n                                                           Table of Contents\n\nSection                                                  Description                                                                             Page\n\n   I. Independent Service Auditors\xe2\x80\x99 Report Provided by KPMG LLP ..........................................1\n\n  II. Description of Controls Provided by the Bureau of the Public Debt ......................................4\n\n      Overview of Operations .................................................................................................................5\n\n      Relevant Aspects of the Control Environment, Risk Assessment, and Monitoring......................13\n\n              Control Environment...........................................................................................................13\n              Risk Assessment..................................................................................................................13\n              Monitoring...........................................................................................................................13\n\n      Information and Communication ..................................................................................... 15\n\n              Information Systems .......................................................................................................15\n              Communication ..................................................................................................................16\n\n      Control Objectives and Related Controls\n          The Bureau of the Public Debt\xe2\x80\x99s control objectives and related controls are\n          included in Section III of this report, \xe2\x80\x9cControl Objectives, Related Controls,\n          and Tests of Operating Effectiveness.\xe2\x80\x9d Although the control objectives and\n          related controls are included in Section III, they are, nevertheless, an integral\n          part of the Bureau of the Public Debt\xe2\x80\x99s description of controls.\n\n      Customer Agency Control Considerations....................................................................................18\n\n      Sub-service Organizations ............................................................................................................20\n\n III. Control Objectives, Related Controls, and Tests of Operating Effectiveness .......................23\n\n      Accounting Processing Controls...................................................................................................24\n\n              Obligations ..........................................................................................................................24\n              Disbursements .....................................................................................................................28\n              Unfilled Customer Orders, Receivables, and Cash Receipts ..............................................33\n              Deposits...............................................................................................................................36\n\x0c              Payroll Accruals ..................................................................................................................38\n              Payroll Disbursements.........................................................................................................39\n              USSGL ................................................................................................................................41\n              Accruals...............................................................................................................................44\n              Government-Wide Reporting..............................................................................................47\n              Administrative Spending.....................................................................................................50\n              Budget .................................................................................................................................52\n              Manual Journal Entries........................................................................................................55\n              Federal Investments ............................................................................................................56\n              Suppliers and Banks Record Changes.................................................................................57\n\n      Procurement Processing Controls .................................................................................................58\n\n              Acquisitions and Contracts..................................................................................................58\n              Sufficiently Funded Requisitions ........................................................................................59\n\n      General Computer Controls ..........................................................................................................60\n\n              System Access ....................................................................................................................60\n              System Changes ..................................................................................................................70\n              Non Interruptive System Service ........................................................................................73\n              Records Maintenance ..........................................................................................................80\n\nIV.   Other Information Provided by Bureau of the Public Debt....................................................83\n\n      Contingency Planning ...................................................................................................................84\n\nV.    Independent Auditors\xe2\x80\x99 Report on Compliance with Laws and Regulations .........................86\n\x0cI.   INDEPENDENT SERVICE AUDITORS\xe2\x80\x99 REPORT\n             PROVIDED BY KPMG LLP\n\n\n\n\n                     1\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\n                              Independent Service Auditors\xe2\x80\x99 Report\n\nInspector General, U.S. Department of the Treasury\nDeputy Executive Director, Administrative Resource Center\n\n\nWe have examined the accompanying description of the accounting processing and general\ncomputer controls related to the financial management services provided by the Administrative\nResource Center (ARC) of the Bureau of the Public Debt (BPD). Our examination included\nprocedures to obtain reasonable assurance about whether (1) the accompanying description\npresents fairly, in all material respects, the aspects of BPD\xe2\x80\x99s controls that may be relevant to a\ncustomer agencies\xe2\x80\x99 internal control as it relates to an audit of financial statements; (2) the controls\nincluded in the description were suitably designed to achieve the control objectives specified in\nthe description, if those controls were complied with satisfactorily, and customer agencies and\nsub-service organizations applied the controls contemplated in the design of BPD\xe2\x80\x99s controls; and\n(3) such controls had been placed in operation as of June 30, 2009. BPD uses services provided\nby other organizations external to BPD (sub-service organizations). A list of sub-service\norganizations is provided in Section II of this report. The accompanying description includes only\nthose controls and related control objectives of BPD, and does not include control objectives and\nrelated controls of sub-service organizations. Our examination did not extend to controls of sub-\nservice organizations. The control objectives were specified by the management of BPD. Our\nexamination was performed in accordance with standards established by the American Institute of\nCertified Public Accountants and applicable Government Auditing Standards issued by the\nComptroller General of the United States and included those procedures we considered necessary\nin the circumstances to obtain a reasonable basis for rendering our opinion.\n\nIn our opinion, the accompanying description of the aforementioned controls presents fairly, in all\nmaterial respects, the relevant aspects of BPD\xe2\x80\x99s controls that had been placed in operation as of\nJune 30, 2009. Also, in our opinion, the controls, as described, are suitably designed to provide\nreasonable assurance that the specified control objectives would be achieved if the described\ncontrols were complied with satisfactorily and customer agencies and sub-service organizations\napplied the controls contemplated in the design of BPD\xe2\x80\x99s controls.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed in the\nprevious paragraph, we applied tests to specific controls, listed in Section III, to obtain evidence\nabout their effectiveness in meeting the control objectives, described in Section III, during the\nperiod from July 1, 2008 to June 30, 2009. The specific controls and the nature, timing, extent,\nand results of the tests are listed in Section III. This information is being provided to customer\nagencies of BPD and to their auditors to be taken into consideration, along with information about\nthe internal control of customer agencies, when making assessments of control risk for customer\nagencies. In our opinion, the controls that were tested, as described in Section III, were operating\nwith sufficient effectiveness to provide reasonable, but not absolute, assurance that the control\nobjectives specified in Section III were achieved during the period from July 1, 2008 to June 30,\n2009.\n\nThe relative effectiveness and significance of specific controls at BPD and their effect on\nassessments of control risk at customer agencies are dependent on their interaction with the\n\n\n                                                                  2\n                                KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                member firm of KPMG International, a Swiss cooperative.\n\x0ccontrols, and other factors present at individual customer agencies. We have performed no\nprocedures to evaluate the effectiveness of controls at individual customer agencies.\n\nThe description of controls at BPD is as of June 30, 2009, and the information about tests of the\noperating effectiveness of specific controls covers the period from July 1, 2008 to June 30, 2009.\nAny projection of such information to the future is subject to the risk that, because of change, the\ndescription may no longer portray the controls in existence. The potential effectiveness of\nspecific controls at BPD is subject to inherent limitations and, accordingly, errors or fraud may\noccur and not be detected. Furthermore, the projection of any conclusions, based on our findings,\nto future periods is subject to the risk that changes made to the system or controls, or the failure to\nmake needed changes to the system or controls may alter the validity of such conclusions.\n\nThe information in Section IV of this report is presented by BPD to provide additional\ninformation and is not a part of BPD\xe2\x80\x99s description of controls placed in operation. The\ninformation in Section IV has not been subjected to the procedures applied in the examination of\nthe description of the controls applicable to the processing of transactions for customer agencies\nand, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of the management of BPD, its\ncustomer agencies, the independent auditors of its customer agencies, the U.S. Department of the\nTreasury Office of Inspector General, the Office of Management and Budget, the Government\nAccountability Office, and the U.S. Congress, and is not intended to be, and should not be, used\nby anyone other than these specified parties.\n\n\n\n\nAugust 27, 2009\n\n\n\n\n                                                  3\n\x0cII. DESCRIPTION OF CONTROLS PROVIDED BY THE BUREAU OF THE\n                          PUBLIC DEBT\n\n\n\n\n                          4\n\x0cOVERVIEW OF OPERATIONS\n\nThe Bureau of the Public Debt\xe2\x80\x99s (BPD\xe2\x80\x99s) Administrative Resource Center (ARC) has been a\nmember of the Treasury Franchise Fund (TFF) since August 1998. The TFF was established by\nP.L. 104-208 and was made permanent by P.L. 108-447. ARC provides administrative support\nservices on a competitive, fee-for-service, and full-cost basis. ARC\xe2\x80\x99s mission is to aid in\nimproving overall government effectiveness by delivering responsive and cost effective\nadministrative support to its customer agencies; thereby, improving their ability to effectively\ndischarge their mission.\n\nAs of June 30, 2009 ARC provided financial management services to approximately 50 customer\nagencies. Financial management services include accounting, budgeting, reporting, travel,\nprocurement and systems support and platform services. The ARC divisions, branches and the\nfinancial management services that they provide are:\n\nAccounting Services Division (ASD):\n\n Accounting Operations Branch (AOB)          Document Processing\n\n\n Accounts and Reports Branch (ARB)           Reporting Services\n\n Accounting Services Branch (ASB)            Document Processing\n\n Treasury Reporting Branch (TRB)             Reporting Services\n\n\n Manufacturing Services Branch (MSB)         Document Processing\n                                             Reporting Services\n\n Central Accounting Branch (CAB)             Budget Services\n                                             Supplier Table Update and Maintenance\n                                             Record and Reconcile Payroll\n                                             1099 Reporting\n\n Program Support Branch (PSB)                Deposit Services\n                                             SPS Operations\n\nTravel Services Division (TSD):\n\n Temporary Duty Services Branch (TDSB)       Temporary Duty Travel Services\n                                             Operate/Maintain GovTrip\n                                             Provide GovTrip Training Services\n                                             Document Processing\n\n Relocation Services Branch (RSB)            Relocation Services\n                                             Operate/Maintain moveLINQ\n                                             Record and process relocations\n                                             Tax Reporting\n\n\n                                               5                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cBusiness Technology Division (BTD):\n\n Customer Service Branch (CSB)            Provide Financial Management System\n                                          Support/Training\n\n Quality Control Branch (QCB)             Operate/Maintain Financial Management Systems\n\n Project and Technical Services Branch Application Development/Analysis/Project\n (PTSB)                                Management\n\nHuman Resources Operations Division (HROD):\n\n Pay and Leave Services Branch (PLSB)     Administer webTA System User Access\n\nDivision of Procurement Services (DPS):\n\n Procurement Services Branch 1 (PSB1)     Acquisition Services\n\n Procurement Services Branch 2 (PSB2)     Acquisition Services\n\n Procurement Services Branch 3 (PSB3)     Acquisition Services\n\n\n\n\n                                            6              Description of Controls Provided\n                                                            by the Bureau of the Public Debt\n\x0c                                             ARC Organizational Chart\n\n\n                                          Office of Executive Director\n                                          Deputy Executive Director\n\n\n      Accounting Services\n           Division                Business                Division of    Human Resource                Travel\n                                  Technology              Procurement       Operations                 Services\n                                   Division                 Services         Division                  Division\nAccounting        Manufacturing\nOperations          Services      Customer              Procurement        Pay and Leave              Relocation\n Branch             Branch         Service            Services Branch 1   Services Branch              Services\n                                   Branch                                                              Branch\nAccounts and         Program                            Procurement\n  Reports            Support       Quality            Services Branch 2                              Temporary\n  Branch              Branch       Control                                                          Duty Services\n                                   Branch               Procurement                                   Branch\nAccounting           Treasury                         Services Branch 3\n Services            Reporting    Project and\n Branch               Branch       Technical\n                                   Services\n Central                            Branch\nAccounting\n Branch\n\n\n\n\n                                                      7                         Description of Controls Provided\n                                                                                by the Bureau of the Public Debt\n\x0cAccounting Services\nAccounting Services consists of the following:\n   \xe2\x80\xa2 Recording financial transactions in an automated accounting system, including\n       appropriation, apportionment, allocations, revenue agreements, accounts receivable,\n       collections, commitments, obligations, accruals, accounts payable, disbursements, and\n       journal entries.\n   \xe2\x80\xa2 Examining and processing vendor and other employee payments.\n   \xe2\x80\xa2 Examining and processing revenue and other collections.\n\nTo maximize efficiencies and enhance customer satisfaction, ARC has developed financial\nmanagement service guidelines for customer agencies. The guidelines are available to customers\nvia ARC\xe2\x80\x99s customer websites. The guidelines provide accounting service overviews, links to\nregulations and data submission requirements for the various types of services and accounting\ntransactions that ARC processes.\n\nPrior to providing accounting services to customer agencies, ARC meets with them to learn and\nunderstand the authorizing legislation and mission. This enables ARC to assist them in defining\ntheir accounting needs and to ensure that the accounting services provided comply with\napplicable regulations and are able to meet their internal and external reporting needs.\n\nARC\xe2\x80\x99s automated accounting systems provide for budgeting and funds control at various\norganizational and spending levels. The levels used are established based on the customer\nagency\xe2\x80\x99s authorizing legislation, apportionment level, or their request to control at a lower level\nthan required by law.\n\nARC offers commitment accounting to customer agencies to better enable them to monitor and\ncontrol their funds availability. When applicable, ARC sets aside funds that are available for\nobligation based on an approved purchase requisition (PR). In the event that the actual order\namount is greater than the approved purchase request amount, a modification to the PR is\nrequired unless overage tolerances have been pre-approved by the customer agency.\n\nARC records obligations based on fully executed purchase orders, contracts, training orders or\ninteragency agreements. Recording the obligations in the accounting system sets aside funds to\nensure that funds are available to pay for the goods or services when provided and billed by\nsuppliers. All obligations must be approved for funds availability prior to issuance. This is\ngenerally done through processing a PR, but is the responsibility of the customer agency if they\nelect not to have commitment accounting services. In the event that the invoice amount is greater\nthan the obligated amount, a modification is required unless overage tolerances have been pre-\napproved by the customer agency.\n\nCustomer agencies are required to notify ARC when goods/services have been received but not\ninvoiced by the supplier at the end of a reporting period. Based on the information received,\nARC records expense accruals in the accounting system. The notification process is established\nat the customer agency level and can include submitting receiving reports or schedules that detail\nthe items to be accrued.\n\nARC processes and/or records all customer agency disbursements. These include supplier\ninvoices, purchase card payments, Intra-governmental Payment And Collection (IPAC)\ntransactions, employee travel reimbursements, and employee payroll.\n\n\n\n                                               8                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cThe preferred approach for payment of qualifying supplier goods/services is the government\xe2\x80\x99s\npurchase card program. Customer agencies are encouraged to obtain and use a government\npurchase card to the greatest extent possible and they are encouraged to participate in ARC's\npurchase card program and use Citibank's CitiDirect system. CitiDirect allows customer agency\ncardholders and approving officials to electronically reconcile, route, approve, and submit the\npurchase card statement to ARC for payment.\n\nGenerally, ARC customer agencies use two methods of receiving and monitoring the status of\nsupplier invoices. The preferred method requires that supplier invoices be sent directly to ARC.\nWhen using this method, ARC has controls that ensure that all invoices are stamped with the date\nreceived, are forwarded to the customer agency staff designated on the obligating document for\nreview and approval, and are monitored to ensure that invoices are returned to ARC for\nprocessing in accordance with the Prompt Payment Act. The alternative method (under unique\ncircumstances) requires that supplier invoices be sent directly to the customer agency. When\nusing this method, the customer agency is required to establish controls to ensure that all invoices\nare stamped with the date received, reviewed, certified by the staff member designated on the\nobligation document, and submitted to ARC for processing in accordance with the Prompt\nPayment Act.\n\nAll invoices are examined by ARC or customer agency staff to ensure that they are proper, as\ndefined by the Prompt Payment Act. In addition, invoices are matched to the obligating\ndocuments and receiving reports (when applicable) and are certified by contracting officers\ntechnical representatives (COTR) or point of contacts (POC). If receiving reports are not\nsubmitted, the COTR/POC certifies that the invoice is in accordance with the terms of the order,\nand provides the dates the goods/services were received and accepted.\n\nAfter the COTR/POC certifies the invoice, it is submitted to ARC to process the payment to the\nsupplier. The customer agency is responsible for ensuring that invoices are submitted in time to\nreceive discounts, if applicable, and to pay the invoice prior to the Prompt Payment Act due date.\nUpon receipt, ARC reviews the invoice for proper certification, accuracy and completeness and\neither schedules the payment in accordance with the terms of the order, the Prompt Pay Act and\nElectronic Funds Transfer (EFT) Rules or returns the invoice to the customer for clarification or\nadditional information.\n\nARC transmits EFT and check payment files to the U.S. Department of the Treasury using\nTreasury\xe2\x80\x99s Secure Payment System (SPS). In addition, ARC processes most intragovernmental\npayments using Treasury\xe2\x80\x99s IPAC system. ARC obtains customer agency approval prior to\ninitiating an IPAC payment to another federal agency. ARC also monitors IPAC activity initiated\nagainst the customer agency by another federal agency and forwards all IPAC payments to the\nappropriate certifying official for approval. ARC records all IPAC payments in the accounting\nperiod the IPAC was accomplished.\n\nThird-party payroll processors provide ARC with a file of payroll data at least bi-weekly (weekly\nif payroll adjustment files are applicable) to interface into the accounting system. ARC\nreconciles all payroll transactions recorded to disbursements reported by the third-party\nprocessor. ARC records payroll accruals on a monthly basis and reverses the accrual in the\nsubsequent accounting period. The payroll accrual is a prorated calculation performed by the\naccounting system that is based on the most recent payroll disbursement data available.\n\nARC processes revenue and collection related transactions (i.e., unfilled customer orders,\nreceivables, and cash receipts) with customer agency approval. Customer agencies either forward\n\n                                               9                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cto ARC approved source documents or a summary of their transactions. ARC records IPAC\ntransactions in the period in which they are processed in FMS\xe2\x80\x99s IPAC System. Check deposits\nare made by ARC or the customer agency. When checks are deposited by customers, the\nStandard Form (SF) 215 deposit ticket is forwarded to ARC. In addition, all deposits require the\ncustomer agencies to provide the accounting information necessary to record the cash receipt.\n\nARC records proprietary and budgetary accounting entries using the United States Standard\nGeneral Ledger (USSGL) and Treasury approved budget object codes at the transaction level. In\naddition, ARC reconciles general ledger accounts to ensure transactions are posted to the\nappropriate accounts. ARC prepares budgetary to proprietary account relationship reconciliations\non a monthly basis to ensure transactions are recorded and corrects any invalid out-of-balance\nrelationships.\n\nARC utilizes FileSurf, a software application managed by BPD\xe2\x80\x99s Office of Management\nServices\xe2\x80\x99 (OMS), Information Management Branch (IMB), to store hardcopy data records. ARC\ngenerates labels, which are printed and placed on boxes that are to be stored in BPD's warehouse.\nThe information recorded on the label is entered into FileSurf so that the boxes can subsequently\nbe requested by ARC personnel as they are needed. Once the data is recorded in FileSurf, BPD\nwarehouse personnel either pick up the box to be placed in storage or return the box to ARC, as\napplicable.\n\nARC works with customer agencies to develop and implement processes to ensure the accuracy\nof their accounting information. This includes reviewing open commitment, obligation, expense\naccrual, customer agreement, and open billing document reports for completeness, accuracy, and\nvalidity. This review is conducted by customer agencies or ARC staff no less frequently than\nquarterly. Based on the review, a determination is made on the action(s) needed to adjust or\nremove any invalid items in ARC\xe2\x80\x99s accounting records.\n\nBudget Services\nARC enters the customer agency\xe2\x80\x99s budget authority in the accounting system based on the\nsupporting documentation, which may include enacted legislation, anticipated resources, Treasury\nwarrants or transfer documents, an Apportionment and Reapportionment Schedule (SF 132), the\ncustomer agency\xe2\x80\x99s budget plan or recorded reimbursable activity. The budget process makes\nfunds available for commitment, obligation, and/or expenditure, and with controls in place, the\nautomated accounting system checks for sufficient funds in the customer agency\xe2\x80\x99s budget at the\nspecified control levels.\n\nReporting Services\nARC performs all required external reporting for customer agencies, including the following\nreports: FMS 224, FACTS I, FACTS II, Report on Receivables, Treasury Information Executive\nRepository (TIER), and quarterly and year-end financial statements. In addition, ARC has\ncreated a standard suite of management reports that are available to all customer agencies. ARC\nalso reconciles certain general ledger accounts and ensures that proprietary and budgetary general\nledger account relationships are maintained.\n\nTravel Services Temporary Duty\nTravel Services consist of the following:\n    \xe2\x80\xa2 Operating and maintaining the E-Gov Travel system (GovTrip) in compliance with the\n        Federal Travel Regulations (FTR) for all ARC customer agencies\n    \xe2\x80\xa2 Researching and implementing the FTR and Agency/Bureau travel policies\n    \xe2\x80\xa2 System Administration\n\n                                              10                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0c    \xe2\x80\xa2   Providing customer service and training to system users\n    \xe2\x80\xa2   Evaluating, recommending, and implementing approved changes to existing systems\n        and/or new systems, including working with the E-Gov Travel vendor and the General\n        Services Administration (GSA) on system enhancements and deficiencies\n    \xe2\x80\xa2   Processing employee reimbursements via interface to Oracle Federal Financials (Oracle)\n\nTravel documents (authorizations and vouchers) and miscellaneous employee reimbursements are\nentered by customer agencies into GovTrip and are electronically routed to an Approving Official\nfor review and approval. The Approving Official electronically signs the documents with a status\nof \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d documents are interfaced and reconciled to Oracle daily.\nGovTrip contains system audits that prohibit documents that do not meet certain Federal Travel\nRegulations or do not contain required accounting information from interfacing to Oracle.\n\nAccess to GovTrip is restricted to users with a valid logon ID and password. All GovTrip users\nmust complete the self-registration process, which includes being accepted by a TSD\nAdministrator who verifies the request to grant GovTrip access. Budget Reviewers and\nApproving Officials must complete, sign, and submit an approved Form PD5409E \xe2\x80\x93\nAdministrative Resource Center (ARC) Online Applications Access Request or have their\napproving official or agency travel contact submit an e-mail request to Travel Services. Changes\nto a user\xe2\x80\x99s identification (i.e., name change) require a resubmitted Form PD5409E or an e-mail\nfrom the user copying his/her approving official or agency travel contact. Changes to a user\xe2\x80\x99s\nrole require a resubmitted PD5409E or e-mail approval from the traveler\xe2\x80\x99s approving official or\nagency travel contact.\n\nRelocation Services\nRelocation Services consist of the following:\n   \xe2\x80\xa2 Operating and maintaining moveLINQ, a government relocation expense management\n        system in compliance with the Federal Travel Regulations (FTR), Joint Travel\n        Regulations (JTR) and Joint Federal Travel Regulations (JFTR) to record and process\n        permanent change of station moves for customer agencies\n   \xe2\x80\xa2 Researching and implementing relocation regulations and Agency/Bureau relocation\n        travel policies\n   \xe2\x80\xa2 System Administration\n   \xe2\x80\xa2 Providing customer service\n   \xe2\x80\xa2 Providing system support and training to internal users\n   \xe2\x80\xa2 Evaluating, recommending, and implementing approved changes to the existing system,\n        including working with the moveLINQ vendor, mLINQS, on system enhancements and\n        deficiencies\n   \xe2\x80\xa2 Processing relocations through the moveLINQ system\n   \xe2\x80\xa2 Processing obligations and disbursements via interface to Oracle Federal Financials\n        (Oracle)\n\nRelocation travel documents (authorizations, amendments, advances, and vouchers) are entered\nby ARC into moveLINQ. Prior to being submitted in moveLINQ, the vouchers are reviewed for\naccuracy by a second ARC employee. Completed documents are faxed or digitally scanned and\ne-mailed to the traveler and/or approving official for review and approval, as appropriate. For\ncustomers that we process payments, approved documents are interfaced and reconciled to Oracle\ndaily.\n\n\n\n\n                                             11                Description of Controls Provided\n                                                               by the Bureau of the Public Debt\n\x0cAccess to moveLINQ is restricted to ARC users with a valid logon and password. The process\nfor requesting, establishing, issuing, and closing user accounts is controlled through the use of the\nmoveLINQ Online Application Access Request Form which requires supervisor approval.\nChanges to a user\xe2\x80\x99s identification (i.e. name change) require a resubmitted moveLINQ Online\nApplication Access Request Form or e-mail from the user copying his/her supervisor or manager.\nChanges to a user\xe2\x80\x99s role require a resubmitted Application Access Request Form or e-mail\napproval from the user\xe2\x80\x99s supervisor or manager.\n\nProcurement Services\nProcurement Services consist of the following:\n    \xe2\x80\xa2 Awarding contracts and purchase orders in accordance with Federal Acquisition\n       Regulations and Treasury Acquisition Regulations\n    \xe2\x80\xa2 Contract administration\n\nRequests for procurement actions are initiated by customers through requisitions. The\nrequisitions contain a performance work statement or requirements document, estimated dollar\namount for the goods or service, validation that funds are available and approval from an\nauthorized official. Requisitions may be sent electronically through PRISM or manually.\n\nUpon receipt of a completed requisition, ARC procurement personnel will develop an acquisition\nstrategy based upon the item or service being purchased and the expected dollar amount of the\npurchase. Using information from the requisition, ARC personnel will develop and publicize the\nsolicitation requesting proposals. ARC personnel will conduct the evaluation of the proposals\nwith technical team of experts from our customer agencies. With input from the technical team,\nan ARC contracting officer will select the vendor that best meets the customer\xe2\x80\x99s requirements.\n\nFollowing award of the contract, ARC personnel will provide contract administration services.\nThis includes executing approved and authorized contract modification, resolving issues that arise\nduring the life of the contract, monitoring delivery schedules and closing out the contract at\ncompletion.\n\nSystem Platform Services\nARC maintains system support staff that provide customer services and training activities.\nCustomer support is provided via phone or e-mail. ARC maintains a training course curriculum\nthat is generally provided in a hands-on classroom environment.\n\nARC performs all system access activities in accordance with established procedures for granting,\nchanging, and removing user access. Included in these procedures are independent reviews of\nsystem access activity and user inactivity.\n\nARC performs all system change activities in accordance with established procedures for\nevaluating, authorizing, and implementing. To this end ARC maintains responsibility for System\nIntegration Testing, providing customers an opportunity to perform User Acceptance Testing, and\napproving production changes.\n\n\n\n\n                                               12                 Description of Controls Provided\n                                                                  by the Bureau of the Public Debt\n\x0cRELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK\nASSESSMENT, AND MONITORING\n\nControl Environment\n\nARC Financial Management Service operations are under the direction of the Office of the\nExecutive Director of ARC. ARC\xe2\x80\x99s mission is to aid in improving overall government\neffectiveness by delivering responsive and cost effective administrative support to its customer\nagencies; thereby, improving their ability to effectively discharge their mission.\n\nARC employees are responsible for processing and reporting accounting activity, providing\nsystem support and development services, procurement, and travel services for its customer\nagencies. ARC holds management meetings on a regular basis to discuss special processing\nrequests, operational performance, and the development and maintenance of projects in process.\nWritten position descriptions for employees are maintained. The descriptions are inspected and\nrevised as necessary.\n\nReferences are sought and background, credit, and security checks are conducted for all BPD\npersonnel when they are hired. Additional background, credit, and security checks are performed\nevery three to five years. The confidentiality of user-organization information is stressed during\nthe new employee orientation program and is emphasized in the personnel manual issued to each\nemployee. BPD provides a mandatory orientation program to all full time employees and\nencourages employees to attend other formal outside training. Training available to BPD\nemployees with related work responsibilities includes, but is not limited to: Prompt Pay and\nVoucher Examination, Appropriation Law, Federal Acquisition Regulations, Federal Travel\nRegulations, FMS 224 \xe2\x80\x93 Statement of Transactions, Dollars & Sense, Standard General Ledger\n(SGL) Basic, SGL Advanced, SGL Trial Balances and Crosswalks, Budgeting and Accounting \xe2\x80\x93\nMaking the Connection and Computer Security Training Awareness.\n\nAll BPD employees receive an annual written performance evaluation and salary review. These\nreviews are based on goals and objectives that are established and reviewed during meetings\nbetween the employee and the employee\xe2\x80\x99s supervisor. Completed appraisals are reviewed by\nsenior management and become a permanent part of the employee\xe2\x80\x99s personnel file.\n\nRisk Assessment\n\nBPD has placed into operation a risk assessment process to identify and manage risks that could\naffect ARC\xe2\x80\x99s ability to provide reliable accounting and reporting, system platform and travel\nservices for customer agencies. This process requires management to identify significant risks in\ntheir areas of responsibility and to implement appropriate measures and controls to manage these\nrisks.\n\nMonitoring\n\nBPD management and supervisory personnel monitor the quality of internal control performance\nas a normal part of their activities. Management and supervisory personnel inquire of staff and/or\nreview data to ensure that transactions are processed within an effective internal control\nenvironment. An example of a key monitoring control is that ASD Reporting Branch Managers\nand/or Supervisors review reconciliations from Oracle subledgers to the related general ledger\naccounts. ASD prepares budgetary to proprietary account relationship reconciliations on a\n\n\n                                              13                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cmonthly basis. In addition, ASD prepares and reconciles the FACTS II submitted reports to the\ntrial balance and statement of budgetary resources on a quarterly basis. ARC also uses the results\nof the annual Statement on Auditing Standards Number 70 (SAS 70) examination as a tool for\nidentifying opportunities to strengthen controls.\n\n\n\n\n                                              14                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cINFORMATION AND COMMUNICATION\n\nInformation Systems\n\nMigration to Commercial Host (Oracle on Demand)\nARC is migrating the hosting of Oracle Federal Financials and PRISM to Oracle Corporation\xe2\x80\x99s\nOracle on Demand service in three phases. As the hosting company for ARC, Oracle on Demand\nstaff serve as the database and systems administrator and provides back up and recovery services.\nThe Oracle and PRISM systems physically reside in a caged federal environment within Oracle\non Demand\xe2\x80\x99s Austin Data Center and will only be accessible via VPN between BPD and Oracle\non Demand. The first phase for production use (C1) included all but two customer agencies.\nPhase one was completed on April 14, 2009. The second phase (C2), for one customer agency\nwas completed on May 26, 2009; and the third phase (C3) for one customer agency is scheduled\nto be completed in February 2010.\n\nOracle Federal Financials (Oracle)\nPrior to migration ARC operated Oracle version 11i, with the Oracle 9i database, which runs\nwithin BPD\xe2\x80\x99s perimeter security zones and accesses data in the perimeter security zones using\nLinux as its operating system. BPD\xe2\x80\x99s Office of Information Technology (OIT) served as the\nOracle database administrator and provides primary support for tape backup and recovery.\nSecurity was also provided by OIT through firewall rules and router access control lists. Oracle\non Demand operates Oracle version 11i, Oracle 10g database in a Linux operating system\nenvironment.\n\nThe following Oracle system information is relevant for the entire period \xe2\x80\x93 July 1, 2008 through\nJune 30, 2009. Oracle uses a two-tier web-based infrastructure with a front-end Internet user\ninterface and a database residing on the secure network. The application accesses the database IP\nto IP on a specified port that was defined in the Access Control List. Internet access is via a 128-\nbit Secure Sockets Layer (SSL) encrypted connection. The application is compliant with Section\n508 of the Rehabilitation Act Amendment for 1998 for Americans with Disabilities (ADA).\nFunctions of Oracle include budget execution, general ledger, purchasing, accounts payable,\naccounts receivable, fixed assets, and manufacturing. ARC also uses a report writer package\ncalled Discoverer that provides users with the ability to create their own ad hoc reports for query\npurposes.\n\nGovTrip\nARC uses Northrop Grumman Mission System\xe2\x80\x99s (NGMS) GovTrip travel system (system\nselected by the U.S. Department of the Treasury as its E-Gov Travel solution). NGMS developed\nand hosts GovTrip. GovTrip is a web-based, self-service travel system that incorporates\ntraditional reservation and fulfillment support and a fully-automated booking process. GovTrip\nuses system processes and audits to ensure compliance to the FTR and/or Agency policy.\nGovTrip is used to prepare, examine, route, approve, and record travel authorizations and\nvouchers. It is used to process all temporary duty location (TDY) authorizations, vouchers, local\nvouchers and miscellaneous employee reimbursements. Approved documents interface to Oracle\nfor obligation or payment during a daily batch process. GovTrip users consist of travelers,\ndocument preparers, budget reviewers, approving officials and administrators.\n\nmoveLINQ\nARC uses mLINQS relocation expense management system, moveLINQ, to meet their relocation\nmanagement program, payment system and reporting requirements. moveLINQ is an E-Gov\nTravel Services and Federal Travel Regulations, Chapter 302 compliant web-based system that\n\n                                               15                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cautomates relocation expense management processes, policy and entitlement for both domestic\nmoves and international relocations. The application is used for household goods shipment and\nstorage arrangements, employee travel arrangements, third party real estate payments and\nrelocation tax administration, including W-2 preparation. Approved documents interface to\nOracle for obligation or payment during a daily scheduled batch process.     moveLINQ users\nconsist of authorized TSD personnel. OIT hosts the moveLINQ system and serves as the\nMicrosoft SQL database administrator and provides primary support for tape backup and\nrecovery.\n\nProcurement Request Information System Management (PRISM)\nPrior to migration ARC operated the Compusearch PRISM system as its procurement system for\ncustomer agencies serviced by Oracle. ARC operated PRISM version 6.0, with the Oracle 9i\ndatabase, which runs within BPD\xe2\x80\x99s perimeter security zones and accesses data in the perimeter\nsecurity zones using Linux as its operating system. OIT served as the PRISM database\nadministrator and provides primary support for tape backup and recovery. Security was provided\nby OIT through firewall rules and router access control lists. Oracle on Demand operates PRISM\non Windows operating system and Oracle 10g database in a Linux operating system environment.\n\nThe following PRISM system information is relevant for the entire period \xe2\x80\x93 July 1, 2008 through\nJune 30, 2009. PRISM uses a two-tier web-based infrastructure with a front-end Internet user\ninterface using Windows as its operating system and a database residing on the secure network.\nThe application accesses the database on a specified port that is defined in the Access Control\nList. Only select Internet Protocol (IP) addresses that are defined in the Access Control List are\npermitted to connect to the database IP. Internet access is via a 128-bit SSL encrypted\nconnection. Transactions entered through PRISM interface real-time with Oracle.\n\nwebTA\nARC uses Kronos\xe2\x80\x99 webTA as its time and attendance system for most of its customer agencies\nwhose payroll is processed by the NFC. Transactions that are entered in webTA interface with\nNFC, and NFC ultimately sends payroll data back to ARC for an interface into Oracle.\n\nARC operates webTA version 3 on Windows 2000. webTA uses the Oracle 9i database, which\nruns on the ARC subnet and accesses data in the ARC DMZ using Linux AS 2.1 as its operating\nsystem. OIT serves as the webTA database administrator and provides primary support for tape\nbackup and recovery. webTA uses a two-tier web-based infrastructure with a front-end Internet\nuser interface and a database residing on the secure network. The application (web-applet)\naccesses the database on a specified port that is defined in the Access Control List. Only select IP\naddresses that are defined in the Access Control List are permitted to connect to the database IP.\nExternal Internet access is via 128-bit encrypted connection. External security is provided by\nOIT through firewall rules and router access control lists.\n\nPRISM, GovTrip, and moveLINQ are feeder systems that interface with Oracle. webTA feeds\ndata to the National Finance Center (NFC) that is then interfaced with Oracle. ARC and Oracle\non Demand personnel maintain Oracle, PRISM, moveLINQ, and the payroll interface that feeds\nNFC data to Oracle.\n\nCommunication\n\nBPD has implemented various methods of communication to ensure that all employees\nunderstand their individual roles and responsibilities over processing transactions and controls.\nThese methods include orientation and training programs for newly hired employees, and use of\n\n                                               16                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0celectronic mail messages to communicate time sensitive messages and information. Managers\nalso hold periodic staff meetings as appropriate. Every employee has a written position\ndescription that includes the responsibility to communicate significant issues and exceptions to an\nappropriate higher level within the organization in a timely manner. Managers also make an\neffort to address continuing education needs of all employees by identifying training\nopportunities made available through BPD's employee training and career development programs,\ninternal training classes, and professional conferences.\n\n\n\n\n                                              17                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cCUSTOMER AGENCY CONTROL CONSIDERATIONS\n\nBPD's accounting processing and general computer controls related to ARC\xe2\x80\x99s financial\nmanagement services were designed with the expectation that certain internal controls would be\nimplemented by customer agencies. The application of such controls by the customer agencies is\nnecessary to achieve all control objectives identified in this report, since ARC is a servicing\norganization that processes transactions that directly affect customer agencies.\n\nThis section describes certain controls that customer agencies should consider for achievement of\ncontrol objectives identified in this report. The customer agency control considerations presented\nbelow should not be regarded as a comprehensive list of all controls that should be employed by\ncustomer agencies. Customer agencies should establish controls to:\n\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Send valid requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Restrict customer agency access to Oracle, Discoverer, PRISM, webTA, and GovTrip to\n    authorized individuals.\n\xe2\x80\xa2   Approve and return relocation travel authorizations to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Communicate customer agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Compare actual spending results to budgeted amounts.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that disbursement transactions are\n    complete and accurate.\n\xe2\x80\xa2   Provide certification of FACTS II to ARC prior to ARC\xe2\x80\x99s FACTS II system certification.\n\xe2\x80\xa2   Approve invoices for payment and send approved invoices to ARC in a timely manner.\n\xe2\x80\xa2   Ensure that invoices properly reflect the invoice receipt date and formal or constructive\n    acceptance date according to the Prompt Payment Act.\n\xe2\x80\xa2   Approve travel vouchers and accurately enter the vouchers into GovTrip in the proper period.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to approve invoices and\n    travel vouchers when it is not communicated in the authorizing agreement.\n\xe2\x80\xa2   Send approved and accurate documentation of unfilled customer orders, receivables, cash\n    receipts transactions to ARC in the proper period.\n\xe2\x80\xa2   Review unfilled customer orders, receivable and advance reports for completeness, accuracy,\n    and validity.\n\xe2\x80\xa2   Monitor and pursue collection of delinquent balances.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll accruals are complete\n    and accurate.\n\n                                              18                Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0c\xe2\x80\xa2   Verify that payroll processed by third-party providers is complete and accurate.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll disbursements are\n    complete and accurate.\n\xe2\x80\xa2   Review open accrual reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Approve and send revenue and expense accruals to ARC in a timely manner.\n\xe2\x80\xa2   Review the financial reports prepared by ARC to ensure that all reports prepared for external\n    use are complete, accurate, and submitted in a timely manner.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that budget entries are complete and\n    accurate.\n\xe2\x80\xa2   Send approved budget plans to ARC in a timely manner.\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, webTA, and GovTrip\n    access to ensure appropriateness.\n\xe2\x80\xa2   Ensure exiting employee timecards are coded \xe2\x80\x9cFinal\xe2\x80\x9d as this will help ensure that HR staff\n    deactivate the employee\xe2\x80\x99s webTA access.\n\xe2\x80\xa2   Send valid and approved requests to record manual journal entries to ARC in a timely\n    manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to submit manual journal\n    entries that are initiated by the customer agency.\n\xe2\x80\xa2   Communicate OMB apportionment status to ARC.\n\xe2\x80\xa2   Monitor usage of budget authority during periods of operation under a Continuing Resolution\n    to ensure that OMB directed apportionment limits are not exceeded.\n\nSpecific customer agency control considerations are provided for Control Objectives 1, 2, 3, 5, 6,\n8, 9, 10, 11, 12 and 17 in the Control Objectives, Related Controls, and Tests of Operating\nEffectiveness section of this report.\n\n\n\n\n                                              19                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cSUB-SERVICE ORGANIZATIONS\n\nIn order to provide financial management services, ARC relies on systems and services provided\nby other organizations external to BPD (sub-service organizations). The following describes the\nsub-service organizations used by ARC that are included in this report. KPMG LLP\xe2\x80\x99s\nexamination did not extend to controls of these sub-service organizations and associated systems.\n\n\n    Name of Sub-service            Name of System               Function/Responsibilities\n      Organization\n\n\n\n Treasury Financial            Government Wide            Treasury\xe2\x80\x99s FMS provides reports to\n Management Service            Accounting (GWA)           inform agencies of their Fund Balance\n (FMS)                         Account Statement          With Treasury and to assist agencies\n                                                          in reconciling their general ledger\n                                                          balances to FMS balances. ARC uses\n                                                          these reports for the performance of\n                                                          reconciliations.\n\n                               Secure Payment System      ARC uses SPS to process payments\n                               (SPS)                      for invoices.\n\n                               CA$HLINK II, GWA           Each month, Treasury\xe2\x80\x99s FMS issues\n                               TDO Payments,              the FMS 6652, Statement of\n                               Intragovernmental          Differences, to agency location codes\n                               Payment and Collection     (ALC) when differences are identified\n                               transactions (IPACs)       between the cash activity reported by\n                                                          the agency on the FMS 224, Statement\n                                                          of Transactions, and data reported to\n                                                          Treasury\xe2\x80\x99s CA$HLINK II, GWA\n                                                          TDO Payments, and IPAC systems.\n                                                          ARC accountants minimize month-\n                                                          end disbursement differences by\n                                                          comparing preliminary FMS 224 data\n                                                          to data obtained from Treasury\xe2\x80\x99s\n                                                          CA$HLINK II, GWA TDO Payments,\n                                                          and IPAC systems.\n\n                               FACTS I                    Treasury\xe2\x80\x99s FMS maintains the FACTS\n                                                          I system. The FACTS I system has\n                                                          edit checks to verify that the submitted\n                                                          USSGL accounts and attributes are\n                                                          valid and have equal debit and credit\n                                                          balances.\n\n\n\n\n                                             20                Description of Controls Provided\n                                                               by the Bureau of the Public Debt\n\x0c  Name of Sub-service      Name of System              Function/Responsibilities\n    Organization\n\n\n\n                        FACTS II                 Treasury\xe2\x80\x99s FMS maintains the FACTS\n                                                 II system. The FACTS II system\n                                                 performs USSGL edit checks and\n                                                 rejects any files that fail the edit\n                                                 checks.\n\nTreasury                Treasury Information     For ARC\xe2\x80\x99s Treasury and the\n                        Executive Repository     Department of Homeland Security\n                        (TIER)                   customer agencies, FACTS I and II\n                                                 reporting requirements are met using\n                                                 TIER. TIER is Treasury\xe2\x80\x99s\n                                                 departmental data warehouse that\n                                                 receives monthly uploaded financial\n                                                 accounting and budgetary data from\n                                                 the Treasury bureaus and other\n                                                 reporting entities within the\n                                                 Department of the Treasury in a\n                                                 standardized format. Data submitted to\n                                                 TIER by an ARC accountant is\n                                                 validated based on system-defined\n                                                 validation checks.\n\n                                                 ARC has customized programs in\n                                                 Oracle that extract the accounting and\n                                                 budgetary data in the required TIER\n                                                 format. TIER has a standardized chart\n                                                 of accounts that is compliant with\n                                                 USSGL guidance issued by the\n                                                 Department of the Treasury. FACTS\n                                                 II edit checks are incorporated in the\n                                                 TIER validation checks.            After\n                                                 submitting the adjusted trial balances\n                                                 into TIER, ARC accountants review\n                                                 the edit reports and resolve any invalid\n                                                 attributes or out-of-balance conditions.\n                                                 ARC accountants document this\n                                                 review by completing the TIER\n                                                 Submission Checklist, which is further\n                                                 reviewed by a supervisor.\n\n\n                        Financial Analysis and   Treasury\xe2\x80\x99s FARS produces financial\n                        Reporting System         statements using data bureaus have\n                        (FARS)                   submitted to TIER.\n\n\n                                      21              Description of Controls Provided\n                                                      by the Bureau of the Public Debt\n\x0c   Name of Sub-service           Name of System          Function/Responsibilities\n     Organization\n\n\n\nVarious third-party payroll   Various systems      Third-party     payroll     processors\nprocessors                                         transmit payroll files to ARC during\n                                                   the second week after the end of a pay\n                                                   period. ARC uses these files for\n                                                   processing payroll disbursements.\n\nNorthrop Grumman              GovTrip              NGMS developed and hosts the\nMission Systems (NGMS)                             GovTrip system, which is an E-Gov\n                                                   travel platform. NGMS is the vendor\n                                                   for E-Gov travel selected by the\n                                                   Department of the Treasury.\n\n\n                                                   NGMS maintains the data in their\n                                                   Business Data Warehouse for six\n                                                   years and three months.\n\n\nDun & Bradstreet              Central Contractor   Primary registrant database for the\n                              Registration (CCR)   U.S. Federal Government; collects,\n                                                   validates, stores and disseminates data\n                                                   in support of customer agency\n                                                   acquisition missions.\n\nBureau of the Public Debt     FedInvest            Used to purchase and redeem\n                                                   Government Account Series (GAS)\n                                                   securities; data source for customer\n                                                   agency federal investment interfaced\n                                                   transactions with Oracle.\n                                                   ARC has migrated the hosting of\nOracle Corporation            Oracle on Demand\n                                                   Oracle and PRISM to Oracle on\n                                                   Demand for the two of the three\n                                                   customer environments (C1 and C2)\n                                                   supported by ARC. C1 was cutover to\n                                                   Oracle on Demand for production use\n                                                   on April 14, 2009, and C2 on May 26,\n                                                   2009. The third environment, C3, is\n                                                   scheduled to be migrated to Oracle on\n                                                   Demand in February 2010.\n\n                                                   Oracle on Demand staff serve as the\n                                                   database and systems administrator\n                                                   and provides back-up and recovery\n                                                   services for Oracle and PRISM.\n\n\n                                           22           Description of Controls Provided\n                                                        by the Bureau of the Public Debt\n\x0cIII.   CONTROL OBJECTIVES, RELATED CONTROLS, AND\n           TESTS OF OPERATING EFFECTIVENESS\n\n\n\n\n                      23   Control Objectives, Related Controls, and\n                                    Tests of Operating Effectiveness\n\x0cACCOUNTING PROCESSING CONTROLS\n\nControl Objective 1 - Obligations\n\nControls provide reasonable assurance that obligations are authorized, reviewed, documented,\nand processed timely in accordance with Administrative Resource Center (ARC) policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of obligations.\n\nPRISM System Interface\nAn obligation is created when a customer agency enters into a legally binding contract with a\nvendor for goods or services. The obligation is entered into the accounting system through an\ninterface between PRISM and Oracle. The interface changes the budget status from a\ncommitment (if applicable) to an obligation in the general ledger and updates the corresponding\nsystem tables. The interface between the procurement and accounting systems is real-time. The\nprocurement system has built-in controls that validate information provided by the customer\nagency and ensure proper authorization is granted prior to the interface into the accounting\nsystem. These include:\n    \xe2\x80\xa2 Limited options based on roles;\n    \xe2\x80\xa2 Field inputs limited to look-up tables;\n    \xe2\x80\xa2 Data validations;\n    \xe2\x80\xa2 Pre-populated fields for default or standard entries;\n    \xe2\x80\xa2 Validation of funds availability; and\n    \xe2\x80\xa2 Non-editable fields (i.e., total when amount is per unit).\n\nThe interface between PRISM and Oracle is monitored periodically throughout the day by\nsystems analysts. The analysts periodically monitor a report that identifies transactions that have\nbeen in the Pending Financial Approval status for more than 15 minutes and a report that\nidentifies transactions that were disapproved during the Pending Financial Approval status. The\nanalysts monitor the reports to ensure transactions are processed timely and to identify and\ninvestigate any issues. Additionally, for transactions that terminate in Pending Financial Approval\nstatus, the report indicates that when Oracle attempted to insert the record into the general ledger\ndatabase a successful message was not returned. The report lists all transactions currently in this\nstate. The analyst investigates all transactions included in the report to resolve the issues and\nchange the status accordingly. Additionally, the customer agency approver receives notification\nof the failure in their PRISM inbox if the document status is disapproved.\n\nManually Recorded Obligations \xe2\x80\x93 Customer Agency Approval\nFor obligations not processed through the interface, customer agencies and/or Procurement send\nARC a signed hardcopy of the agreement, or send ARC an e-mail to obligate the funds. Upon\nreceipt from the customer agency, the ARC technician responsible for processing the customer\nagency\xe2\x80\x99s accounting transactions reviews the documentation to ensure that adequate accounting\ninformation has been received, and manually enters the obligation into Oracle. Obligations that\nare posted in Oracle are available for both ARC and customer agency review through ad hoc\nDiscoverer reports.\n\n\n\n\n                                               24       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cTemporary Duty Travel System Interface\nCustomer agencies enter travel authorizations into GovTrip and electronically route them to\nApproving Officials for review and approval. Approving Officials electronically sign the\nauthorization with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d authorizations are interfaced daily via\nbatch processing to Oracle which records an obligation in the general ledger. Each day an\ninterface file is received from Northrop Grumman Mission Systems (NGMS) which is used for\nprocessing, report generation, and identification of exceptions. The file is loaded into the Oracle\ninterface and accepted records are added to Oracle as obligations in the general ledger. A Travel\nOrder Status Report is generated and reviewed to identify and correct data interface errors and\nexceptions between GovTrip and Oracle. To correct transactions of this nature, the transactions\nare manually entered into the system. Approved authorizations in GovTrip are reconciled daily\nby an accounting technician with an Oracle generated report to ensure that all GovTrip\nauthorizations have been interfaced and processed in Oracle. In addition, GovTrip prevents a\nuser from both entering and approving travel authorizations unless they have authorized access.\n\nRelocation Travel System Interface\nRSB personnel enter PCS travel authorizations into moveLINQ, print and send them to\nApproving Officials for review and approval. When the signed document is received by RSB,\nRelocation Coordinators stamp the document in moveLINQ with a status of \xe2\x80\x9csubmitted\xe2\x80\x9d. All\n\xe2\x80\x9csubmitted\xe2\x80\x9d documents are interfaced daily via batch process to Oracle which records an\nobligation in the general ledger. Each day an interface file is generated from moveLINQ which is\nused for processing, report generation and identification of exceptions. The file is loaded into the\nOracle interface and accepted records are added to Oracle as obligations in the general ledger. A\nTravel Order Status exception report is generated and reviewed daily to identify and correct data\ninterface errors and exceptions between moveLINQ and Oracle. To correct transactions of this\nnature, the transactions are manually entered into the system. Submitted authorizations in\nmoveLINQ are reconciled daily by an accounting technician with an Oracle generated report to\nensure that all moveLINQ authorizations have been interfaced and processed in Oracle. A\nweekly review of the reconciliation process is performed by a Travel Analyst and any identified\nissues are resolved.\n\nBudget Execution System Controls\nCustomer agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the Standard Form SF32)\n    \xe2\x80\xa2 Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. Decisions on control\nsettings that permit or prevent spending beyond other budget plan levels are made by the\ncustomer agency. System controls are applied at the fund level after passage of appropriation\nlegislation and a high level budget is loaded. Upon receipt and input of a detailed financial plan,\ncontrols will be established at the level dictated by the customer agency.\n\n\n\n                                               25       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cBudget execution settings are determined by the customer agency and input into Oracle by the\nCustomer Service Branch (CSB). System settings are reviewed with the customer agency on an\nannual basis. Budget plans are input into Oracle by ARC staff, based upon budget plans provided\nby customer agencies. Budget plans input into Oracle by ARC Staff are reviewed and signed off\non by an ARC Supervisor.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on obligating\ndocuments. ARC has developed and implemented a standard document-numbering scheme to\navoid duplicate document processing and to enable readers of ARC reports to better identify\nand/or determine the nature of transactions processed by ARC. When an ARC user attempts to\nenter a transaction identification number that already exists, Oracle issues an error message that\nalerts the user of the duplication.\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Send valid requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Restrict customer agency access to Oracle, Discoverer, PRISM, webTA, and GovTrip to\n    authorized individuals.\n\xe2\x80\xa2   Approve and return relocation travel authorizations to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Communicate customer agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Compare actual spending results to budgeted amounts.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures for the processing of obligations and determined that the\n    procedures were formally documented for the processing of obligations.\n\xe2\x80\xa2   Inquired of a Financial Systems Analyst in the Quality Control Branch (QCB) and was\n    informed that the system validates data prior to the interface to the Oracle system.\n\xe2\x80\xa2   Observed the validation tables in the PRISM system and noted that the system was configured\n    to validate obligation document types and to ensure accuracy and completeness of the data\n    interfaced from the PRISM system to the Oracle System.\n\xe2\x80\xa2   Observed the PRISM Support Desk Staff monitoring the \xe2\x80\x9cPending Financial Approval\xe2\x80\x9d and\n    \xe2\x80\x9cDisapproved during Pending Financial Approval\xe2\x80\x9d reports and noted that the reports appeared\n    to be monitored, backlogs were not building up, and an issue was noted at the time of\n    observation but was investigated and resolved.\n\n\n\n                                              26       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of manually entered obligations, inspected evidence of customer agency\n    approval and determined that manually entered obligations were approved prior to being\n    entered into Oracle by ARC Staff.\n\xe2\x80\xa2   Observed the daily GovTrip interface and noted that approved travel authorizations interfaced\n    into the Oracle system and recorded as an obligation.\n\xe2\x80\xa2   For a selection of dates, inspected GovTrip to Oracle interface reconciliations and determined\n    that daily reconciliations were performed to ensure that data from the GovTrip system\n    interfaced to the Oracle System.\n\xe2\x80\xa2   Inspected screen prints from an ARC staff member entering travel vouchers into GovTrip and\n    determined that the system required the travel vouchers to be routed to an approving official.\n\xe2\x80\xa2   Inspected screen prints of an approving official attempt to enter and approve travel vouchers\n    and determined that GovTrip prevented a user from both entering and approving travel\n    vouchers.\n\xe2\x80\xa2   Observed the daily moveLINQ interface and noted that approved relocation authorizations\n    were interfaced into the Oracle system and recorded as an obligation.\n\xe2\x80\xa2   For a selection of days inspect the reconciliation of authorization from moveLINQ to the\n    Oracle System and determined that the interface activity was reconciled to ensure all\n    approved authorizations were completely and accurately interfaced to the Oracle System.\n\xe2\x80\xa2   For a selection of weeks inspected the review evidence of the reconciliation process\n    performed by a RSB Accountant/Travel Assistant and determined that the review was\n    performed weekly and any identified issues were resolved.\n\xe2\x80\xa2   For a selection of customer agencies inspected evidence and determined that for the year they\n    specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\nNo exceptions noted.\n\n\n\n\n                                              27        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 2 - Disbursements\n\nControls provide reasonable assurance that the disbursement of invoices and vouchers is\nauthorized, reviewed, processed timely, reconciled, and properly documented in accordance with\nARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of disbursements.\n\nCustomer Agency Invoice Approvals\nARC only processes disbursements for invoices with customer agency approval. Vendors can\neither send invoices to the customer agency or ARC, depending on the instructions in the\npurchase order. If invoices are sent to the customer agency, the customer agency reviews and\napproves the invoice and forwards the invoice and documentation of customer agency approval to\nARC. When invoices are sent to ARC, ARC obtains customer agency approval through an\nexecuted receiving document, or ARC submits the invoice to an authorized customer agency\ncontact for approval. Appropriate contacts are either specified in the purchase order or are\ncommunicated to ARC by the customer agency. Intragovernmental Payment and Collection\ntransactions (IPACs) which decrease an ARC customer agency\xe2\x80\x99s Fund Balance with Treasury\n(FBWT) must be approved in advance by the customer agency, unless the IPAC was initiated\nagainst the customer agency by another federal agency. To ensure that IPAC transactions\ninitiated against the customer agency by another federal agency are posted in the proper\naccounting period, ARC may obtain customer agency approval after the IPAC has been recorded.\nDisbursement may also occur with information from feeder systems (PRISM, GovTrip, and\nmoveLINQ).\n\nStatistical Sampling of Invoices\nAll invoices are subject to ARC internal review. System controls set at the user identification\nand/or vendor level ensure that payment of invoices greater than $2,500 which are processed by\nan accounting technician must be reviewed and approved by a lead accounting technician or an\naccountant. Invoices less than $2,500 are subject to statistical sampling by a lead accounting\ntechnician or an accountant. System user access profiles restrict accounting technicians\xe2\x80\x99 ability to\nprocess documents that require secondary review and approval and ensure proper segregation of\nduties is maintained. A 100% post audit management review is conducted monthly on all\ninvoices greater than $2,500 that are both processed and approved by the same individual.\n\nTemporary Duty Travel Vouchers\nCustomer agencies enter temporary duty travel vouchers into GovTrip and electronically route\nthem to Approving Officials for review and approval. Approving Officials electronically sign the\nvoucher with a status of \xe2\x80\x9capproved\xe2\x80\x9d. All \xe2\x80\x9capproved\xe2\x80\x9d travel vouchers are interfaced daily via\nbatch processing to Oracle which records a disbursement in the general ledger. Each day an\ninterface file is received from the GovTrip System which is used for processing, report\ngeneration, and identification of exceptions. The file is loaded into the Oracle interface and\naccepted records are added to Oracle as disbursements in the general ledger. The travel voucher\nis then matched against an existing authorization. A Travel Voucher Status Report is generated\nand reviewed to identify and correct data interface errors and exceptions between GovTrip and\nOracle. To correct transactions of this nature, the transactions are manually entered into the\nsystem. Approved vouchers in GovTrip are reconciled daily by an accounting technician with an\nOracle generated report to ensure that all GovTrip vouchers have been interfaced and processed\n\n\n                                               28       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cin Oracle.   In addition, GovTrip prevents a user from both entering and approving travel\nvouchers.\n\nStatistical Sampling of Temporary Duty Travel Vouchers\nTemporary Duty Services Branch (TDSB) staff completes a post audit review of temporary duty\ntravel vouchers to verify the accuracy of the interfaced data and compliance with Federal Travel\nRegulations (FTR), using statistical sampling procedures to select documents less than $2,500,\nbased on the customer agency\xe2\x80\x99s travel policy (FTR or FTR/ARC). A 100% post audit review is\nconducted on all documents greater than $2,500. Errors discovered during the review are sent via\ne-mail to the traveler or document preparer and approving official to review and/or take action.\nBilling documents are created for amounts owed by a traveler of $25 or greater, resulting from an\noverpayment in which the customer agency has declared the overpayment a debt of the\ngovernment. The traveler sends a check to cover the overpayment.\n\nRelocation Services Travel Vouchers\nRSB personnel enter and audit each PCS travel voucher in moveLINQ, print and then send them\nto Approving Officials for review and approval. When the signed document is received by RSB,\nRelocation Coordinators stamp the document in moveLINQ with a status of \xe2\x80\x9csubmitted\xe2\x80\x9d. All\n\xe2\x80\x9csubmitted\xe2\x80\x9d documents are interfaced daily via batch processing to Oracle which records a\ndisbursement in the general ledger. Submitted vouchers in moveLINQ are reconciled daily by an\nAccounting Technician with an Oracle generated report to ensure that all moveLINQ vouchers\nhave been processed in Oracle. A weekly review of the reconciliation process is performed by a\nTravel Analyst.\n\nPayment Date Calculations\nBased on the customer agency\xe2\x80\x99s contracts with its suppliers, ARC staff enters the invoice date\nand the later of the invoice receipt date, or the earlier of the formal or constructive acceptance\ndates into Oracle based on the supporting documentation from the customer agency. On a daily\nbasis, Oracle selects invoices that are due for payment and creates files for manual uploading into\nTreasury\xe2\x80\x99s Secure Payment System (SPS). The ARC SPS certifying officer compares the number\nand dollar amount of payments from the SPS generated schedule to the payment files generated\nby Oracle to ensure all payment files have been uploaded to Treasury. For invoices that are\nsubject to the Prompt Payment Act, Oracle schedules payments to disburse 30 days after the later\nof the invoice receipt date and the earlier of the date of formal or constructive acceptance (unless\nthe supplier\xe2\x80\x99s contract or invoice states otherwise). Any payments that are subject to the Prompt\nPayment Act that are paid after their Oracle scheduled due date are subject to prompt pay interest\nto cover the period the payment was due but not paid. Oracle automatically determines if interest\nis due based on the dates in the accounting system. If interest is due, Oracle calculates interest\nand generates an interest payment to the vendor, provided the total interest is more than one\ndollar.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury Activity\nEach month, Treasury\xe2\x80\x99s Financial Management Service (FMS) issues the Statement of\nDifferences to agency location codes (ALC) when differences are identified between the cash\nactivity reported by the agency on the FMS 224, Statement of Transactions, and data reported to\nTreasury\xe2\x80\x99s CA$HLINK II, GWA TDO Payments, and IPAC systems. ARC accountants\nminimize month-end disbursement differences by comparing preliminary FMS 224 disbursement\ndata to data obtained from Treasury\xe2\x80\x99s CA$HLINK II, GWA TDO Payments, and IPAC systems.\nAny differences identified by the accountant are corrected by an accounting technician or another\naccountant prior to the close of the accounting period. ARC accountants prepare monthly\nStatement of Differences reconciliations for supervisory review. If a Statement of Differences was\n\n                                               29       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0creceived, the transaction(s) that caused the difference is (are) identified and if necessary,\ncorrecting entries are posted by an accounting technician or another accountant and reported in\nthe subsequent accounting period.\n\nBudget Execution System Controls\nCustomer agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the SF132)\n    \xe2\x80\xa2 Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. Decisions on control\nsettings that permit or prevent spending beyond other budget plan levels are made by the\ncustomer agency. System controls are applied at the fund level after passage of appropriation\nlegislation and a high level budget is loaded. Upon receipt and input of a detailed financial plan,\ncontrols will be established at the level dictated by the customer agency.\n\nBudget execution settings are determined by the customer agency and input into Oracle by the\nCSB. System settings are reviewed with the customer agency on an annual basis. Budget plans\nare input into Oracle by ARC staff, based upon budget plans provided by customer agencies.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers for the same vendor on\naccounts payable transactions. ARC has developed and implemented a standard document-\nnumbering scheme to avoid duplicate document processing and to enable readers of ARC reports\nto better identify and/or determine the nature of transactions processed by ARC. When an ARC\nuser attempts to enter a transaction identification number that already exists, Oracle issues an\nerror message that alerts the user of the duplication.\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that disbursement transactions are\n    complete and accurate.\n\xe2\x80\xa2   Approve invoices for payment and send approved invoices to ARC in a timely manner.\n\xe2\x80\xa2   Ensure that invoices properly reflect the invoice receipt date and formal or constructive\n    acceptance date according to the Prompt Payment Act.\n\xe2\x80\xa2   Approve travel vouchers and accurately enter the vouchers into GovTrip in the proper period.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\n                                               30        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to approve invoices and\n    travel vouchers when it is not communicated in the authorizing agreement.\n\xe2\x80\xa2   Communicate customer agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of disbursements and determined that the\n    procedures were formally documented for the processing of disbursements.\n\xe2\x80\xa2   For a selection of invoices inspected documentation of Customer Agency authorization and\n    related general ledger entries and determined that disbursements were authorized and\n    processed timely.\n\xe2\x80\xa2   For a selection of Intergovernmental Payment and Collection transactions inspected\n    documentation of Customer Agency authorization and related general ledger entries and\n    determined that disbursements were authorized and processed timely.\n\xe2\x80\xa2   Observed an accountant process an invoice over $2,500 and determined that the system\n    automatically routed the invoice to a secondary lead accounting technician or an accountant\n    for review and approval.\n\xe2\x80\xa2   For a selection of months inspected evidence and determined that the 100% post audit\n    management reviews were conducted monthly on all invoices greater than $2,500 which were\n    both processed and approved by the same individual.\n\xe2\x80\xa2   Observed the daily GovTrip interface and noted that approved travel authorizations interfaced\n    into the Oracle system and were recorded as an obligation.\n\xe2\x80\xa2   For a selection of days inspected GovTrip voucher reconciliations and determined that\n    approved vouchers in GovTrip were reconciled daily to Oracle by an accounting technician.\n\xe2\x80\xa2   Observed a user in GovTrip attempting to approve their own travel voucher and noted that the\n    system automically prevented the user from approving their own travel voucher.\n\xe2\x80\xa2   For a selection of months inspected evidence of the statistical review of invoices less than\n    $2,500 and determined that the statistical review was performed subject to statistical sampling\n    by a lead accounting technician or an accountant.\n\xe2\x80\xa2   For a selection of months, inspected evidence of the supervisor review of temporary duty\n    travel voucher invoices over $2,500 that were processed and approved by the same individual\n    and determined that the supervisor reviewed the invoices and performed follow-up to validate\n    the self-approval.\n\xe2\x80\xa2   Observed relocation vouchers interfaced into Oracle and determined that the approved\n    vouchers were interfaced via automated batch process.\n\xe2\x80\xa2   For a selection of days inspected evidence and determined that the vouchers in moveLINQ\n    were reconciled daily by an Accounting Technician within an Oracle generated report.\n\xe2\x80\xa2   For a selection of weeks inspected reconciliation and determined that a weekly reconciliation\n    process was performed by an RSB Accountant/Travel Assistant.\n\xe2\x80\xa2   For a selection of days, inspected evidence that the ARC SPS certifying officer compared the\n    number and dollar amount of payments and determined that the review was completed daily\n    to ensure interfaces were uploaded completely.\n\n                                              31        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of invoices subject to the Prompt Payment Act, inspected documentation and\n    determined that Oracle schedules payments to disburse 30 days after the later of the invoice\n    receipt date and the earlier of the date of formal or constructive acceptance (unless the\n    supplier\xe2\x80\x99s contract or invoice states otherwise).\n\xe2\x80\xa2   For a selection of late payments, inspected evidence and determined that proper interest was\n    calculated and paid based on the number of days the payment was late.\n\xe2\x80\xa2   For an example late payment recalculated the interest owed and determined that Oracle\n    calculated interest and generated an interest payment to the vendor.\n\xe2\x80\xa2   For a selection of months, inspected the Statement of Differences and determined that\n    supervisors reviewed the reconciliations.\n\xe2\x80\xa2   For identified differences from the selection of months and customer agencies, inspected\n    evidence and determined that the accounting technicians or another accountant corrected\n    differences prior to the close of the accounting period or in the subsequent accounting period\n    if necessary based on timing.\n\xe2\x80\xa2   For a selection of customer agencies inspected evidence and determined that for the year they\n    specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\nNo exceptions noted.\n\n\n\n\n                                              32        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 3 \xe2\x80\x93 Unfilled Customer Orders, Receivables, and Cash Receipts\n\nControls provide reasonable assurance that unfilled customer orders, receivables, and cash\nreceipts are reconciled and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of unfilled customer\norders, receivables, and cash receipts.\n\nCustomer Agency Approval\nARC only processes unfilled customer orders, receivables, and cash receipts with customer\nagency approval, with the exception of checks received for deposit directly by ARC on the\ncustomer\xe2\x80\x99s behalf for accounts payable invoice refunds of overpayments and/or vendor rebates.\nCustomer agencies either send signed source documents or provide a summary of their\ntransactions via fax or e-mail. ARC enters all transactions into Oracle, which are available for\nreview through reporting systems. To help ensure that cash receipts are posted in the proper\naccounting period, ARC may obtain customer agency approval after the cash receipt has been\nrecorded.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury Activity\nEach month, Treasury\xe2\x80\x99s FMS issues the Statement of Differences to ALCs when differences are\nidentified between the cash activity reported by the agency on the FMS 224, Statement of\nTransactions, and data reported to Treasury\xe2\x80\x99s CA$HLINK II and IPAC systems. ARC\naccountants minimize month-end differences relating to collections by comparing preliminary\nFMS 224 collection data to Treasury\xe2\x80\x99s CA$HLINK II and IPAC systems. Any differences\nidentified by the accountant are corrected by an accounting technician or another accountant prior\nto the close of the accounting period. ARC accountants prepare monthly Statement of Differences\nreconciliations for supervisory review. If a Statement of Differences was received, the\ntransaction(s) that caused the difference is (are) identified and if necessary, correcting entries are\nposted by an accounting technician or another accountant and reported in the subsequent\naccounting period.\n\nReporting - Receivables\nARC accountants prepare and submit a quarterly Report on Receivables Due from the Public for\nall customer agencies. This report requires agencies to track the collection of receivables and\nreport on the status of delinquent balances according to an aging schedule. Accountants that are\nresponsible for preparing the Report on Receivables Due from the Public review and reconcile all\nactivity (i.e., new receivables, revenue accruals, collections, adjustments and write-offs) with the\npublic on a quarterly basis. An ARC supervisory accountant reviews the report. Customer\nagencies are responsible for monitoring and pursuing collection of delinquent balances. On an\nannual basis, the customer agency\xe2\x80\x99s Chief Financial Officer must certify that the report submitted\nto the Department of the Treasury is accurate and consistent with agency accounting systems.\n\nIntragovernmental Transactions\nARC adheres to applicable intragovernmental elimination guidance. This involves recording\ntransactions at a level that allows for identification of its governmental trading partners and for\nreconciling the transactions/balances with trading partners on a quarterly basis. For its non-\nTreasury and non-Homeland Security customer agencies, ARC accountants reconcile fiduciary\naccount balances with their trading partners (Bureau of Public Debt, Office of Personnel\n\n                                                33        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cManagement and Department of Labor) after uploading account balances into the\nIntragovernmental Fiduciary Confirmation System (IFCS). The Department of Treasury and the\nDepartment of Homeland Security utilize IFCS to reconcile Treasury and Homeland Security\nagency fiduciary account balances with trading partners. For the non-fiduciary transactions of its\ncustomer agencies, ARC accountants prepare and submit confirmations to the appropriate trading\npartners in accordance with the elimination reconciliation guidance. Upon submitting the\nconfirmations to the trading partners, ARC works with the trading partners to reconcile\ntransactions/balances and identify and record any necessary adjustments. Reconciliations are not\nperformed for non-Treasury customer agencies. Non-Treasury customer agencies receive\nconfirmations only.\n\nDocument Numbering\nAll accounting entries recorded in Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on unfilled customer\norders and receivables. A system control alerts the user of the use of duplicate document numbers\non cash receipt and advance transactions. ARC has developed and implemented a standard\ndocument-numbering scheme to avoid duplicate document processing and to enable readers of\nARC reports to better identify and/or determine the nature of transactions processed by ARC.\nWhen an ARC user attempts to enter a transaction identification number that already exists,\nOracle issues an error message that alerts the user of the duplication.\n\nCustomer Agency Control Consideration\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Send approved and accurate documentation of unfilled customer orders, receivables, and cash\n    receipts, to ARC in the proper period.\n\xe2\x80\xa2   Review unfilled customer orders, receivable and advance reports for completeness, accuracy,\n    and validity.\n\xe2\x80\xa2   Monitor and pursue collection of delinquent balances.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures for the processing of unfilled customer orders, cash receipts,\n    receivables, advances, and write-offs and observed ARC personnel process transactions and\n    noted that the transactions were processed in accordance with the procedures.\n\xe2\x80\xa2   For a selection of unfilled customer orders inspected documentation of Customer Agency\n    authorization and determined that transactions are authorized by Customer Agencies.\n\xe2\x80\xa2   For a selection of receivables inspect documentation of Customer Agency authorization and\n    determined that the transactions were authorized by Customer Agencies.\n\xe2\x80\xa2   For a selection of cash receipts, inspected documentation of Customer Agency authorization\n    and determined that transactions were authorized by Customer Agencies.\n\xe2\x80\xa2   For a selection of months, inspected Statement of Differences reconciliations and determined\n    that reconciliations were documented and that any correcting entries were posted by an\n    accounting technician or another accountant and reported in the subsequent accounting\n    period.\n\n                                              34       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of quarters, inspected the Report on Receivables Due from the Public\n    reconciliations and determined that reconciliations were documented.\n\xe2\x80\xa2   For a selection of quarters, inspected Reports on Receivables Due from the Public and\n    determined that they were reviewed by an ARC supervisory accountant.\n\xe2\x80\xa2   Inspected a quarterly selection of intra-governmental confirmations and reconciliations and\n    determined that confirmations were sent, reconciliations were documented, and trading\n    partners identified.\n\xe2\x80\xa2   Inspected a quarterly selection of non-Treasury and non-Homeland Security customer agency\n    intra-governmental Fiduciary Confirmation System balances and determined that fiduciary\n    account balances were reconciled with trading partner balances.\n\xe2\x80\xa2   Inspected a selection of non-fiduciary transaction confirmations of ARC customer agencies\n    and determined that ARC accountants prepared and submitted confirmations to the\n    appropriate trading partners in accordance with the elimination reconciliation guidance.\n\xe2\x80\xa2   Inspected a selection of transaction(s)/balance(s) reconciliations and determined that upon\n    submitting the confirmations to the trading partners, ARC worked with the trading partners to\n    reconcile transactions/balances and identify and record any necessary adjustments.\n\xe2\x80\xa2   Inspected a selection of reconciliations and determined that confirmations were performed for\n    non-Treasury customer agencies.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter into Oracle, a transaction with a document\n    number that had already been entered into Oracle noted that Oracle automatically rejected the\n    entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                              35       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 4 - Deposits\n\nControls provide reasonable assurance that checks are secure and deposited timely by appropriate\npersonnel and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for the safeguarding and recording of deposits.\n\nSafeguarding Checks\nChecks received by the mailroom are scanned and a batch ticket with the number of checks\nreceived is generated. Copies of the batch ticket along with the checks are sent via confidential\nmail to the appropriate ARC branch. An ARC accounting technician or administrative staff\nmember who does not have accounting system access to post account receivable transactions,\nreceives, opens and logs all checks received in the branch\xe2\x80\x99s check deposit log. The number of\nchecks received is compared to the number of checks listed on the batch ticket. Checks are to be\ndeposited as soon as possible after the purpose and validity of the check\xe2\x80\x99s issuance are identified.\nWhile the accounting technician responsible for processing deposits for the customer agency is\nresearching the check\xe2\x80\x99s purpose and validity, the check is locked in the ARC administrative staff\nmember\xe2\x80\x99s drawer until it is ready to be deposited.\n\nManual Deposits \xe2\x80\x93 Segregation of Duties\nWhen the check is ready for manual deposit, a deposit ticket and the check are placed in a locked\nbag and picked up by the mail clerk. A copy of the deposit ticket is retained by the ARC\nadministrative staff member for comparison with the receipt and deposit ticket signed by the bank\nteller. The mail clerk delivers the locked bag containing the deposit ticket and checks to the local\nfederal depository. The bag containing the bank teller\xe2\x80\x99s deposit ticket and receipt are returned to\nthe branch office that processed the deposit. After the bank teller receipt and deposit ticket are\ncompared to the copy retained by the branch and the ARC administrative staff member updates\nthe check deposit log to record the date the deposit was made, an accounting technician processes\nthe cash receipt in the accounting system.\n\nPaper Check Conversion System Deposits and Reconciliation\nFor customers using the Paper Check Conversion (PCC) system, an ARC accounting technician\nor administrative staff member will scan each check into the PCC system. The batch list is\nautomatically temporarily saved to the server until it is transmitted to the Federal Reserve Bank\n(FRB) by the ARC accounting technician or administrative staff member. Upon settlement with\nthe FRB, the ARC accounting technician reconciles the batch list with the paper checks and signs\noff to indicate the reconciliation is complete. After reconciliation, the checks are stamped\n\xe2\x80\x9cVOID\xe2\x80\x9d by the ARC accounting technician or administrative staff member and held awaiting\nconfirmation of the deposit in the Federal Reserve's deposit application. Upon confirmation, the\nARC accounting technician or administrative staff member destroys the voided checks. The cash\nreceipt is recorded in Oracle by an independent ARC accounting technician and reviewed and\napproved by an accountant.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures for the safeguarding and recording of deposits and determined\n    that ARC had documented procedures for the safeguarding and recording of deposits.\n\n\n\n                                               36       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected the checks received by the mailroom and the associated batch tickets and\n    determined that a batch ticket with the number of checks received was generated.\n\xe2\x80\xa2   From a selection of batch tickets generated by the mailroom, inspected notes and determined\n    that copies of batch tickets were sent via confidential mail to the appropriate ARC branch.\n\xe2\x80\xa2   Inspected a selection of check logs and determined that an ARC administrative staff member\n    who did not have accounting system access to post account receivable transactions, received,\n    opened and logged all checks received in the branch\xe2\x80\x99s check deposit log.\n\xe2\x80\xa2   Inspected a selection of checks received and associated batch tickets and determined that the\n    number of checks received was compared to the number of checks listed on the batch ticket.\n\xe2\x80\xa2   Inspected a selection of check deposit records and check issuance attributes and determined\n    that checks were deposited in a timely manner after the purpose and validity of the check\xe2\x80\x99s\n    issuance were identified.\n\xe2\x80\xa2   For a selection of un-deposited checks from the check deposit log, observed the checks and\n    noted they were properly secured in a locked drawer.\n\xe2\x80\xa2   For a selection of checks ready for deposit, observed that the deposit tickets and the checks\n    were placed in a locked bag and picked up by the mail clerk.\n\xe2\x80\xa2   Inspected a selection of signed check deposit logs and determined that a copy of the checks\n    was retained by the ARC administrative staff member for comparison with the receipt and\n    deposit ticket signed by the bank teller.\n\xe2\x80\xa2   Inspected a selection of reconciliations from the deposit tickets to the bank teller deposit\n    tickets and receipts and determined that the reconciliations were performed.\n\xe2\x80\xa2   For a selection of dates, inspected PCC reconciliations and determined that the reconciliations\n    were performed and exceptions were resolved.\n\n\nNo exceptions noted.\n\n\n\n\n                                                37        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cControl Objective 5 \xe2\x80\x93 Payroll Accruals\n\nControls provide reasonable assurance that period-end payroll accruals are processed timely,\nreviewed, and properly documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of payroll accruals.\n\nSystem Calculation of Accruals\nPayroll accruals are recorded on a monthly basis and reversed in the subsequent accounting\nperiod. The payroll accrual is a prorated calculation performed by the accounting system that is\nbased on the most recent payroll disbursement data available. To make its calculation, the\naccounting system requires a payroll accountant to enter specific parameters (e.g., number or\npercentage of workdays to accrue and the base pay period number).\n\nManual Verification of Accruals\nA payroll accountant independently reviews the accounting system calculated accrual for\nreasonableness. The payroll accountant recalculates the accrual using an Excel spreadsheet to\nmultiply the last full pay period disbursement by the number of days accrued divided by ten days.\nThe payroll accountant compares the recalculated payroll amount to the accounting system\ncalculation for reasonableness. The payroll accountant researches and identifies any material\ndifferences not explained by non-recurring budget object classes. Those differences are corrected\nin the period in which they are identified. The payroll accountant provides the spreadsheet to a\nsupervisor or manager for review and approval.\n\nCustomer Agency Control Considerations\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll accruals are complete\n    and accurate.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of payroll accruals and determined that the\n    procedures were formally documented for the processing of payroll accruals.\n\xe2\x80\xa2   For a selection of months, inspected payroll accrual invoices for a selection of customer\n    agencies for entry into the system and determined that payroll accruals were entered timely.\n\xe2\x80\xa2   For a selection of months for a selection of customer agencies, inspected supervisor signed\n    payroll verification spreadsheets and payroll accrual invoices for entry into Oracle and\n    determined that payroll accruals were verified and entered timely and then reviewed and\n    approved by a supervisor or manager.\n\nNo exceptions noted.\n\n\n\n\n                                              38        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 6 \xe2\x80\x93 Payroll Disbursements\n\nControls provide reasonable assurance that payroll disbursement data (disbursed by a third-party)\nis reviewed, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of payroll disbursements.\n\nAutomated Payroll Posting Process\nThird-party payroll processors transmit payroll files to ARC during the first and/or second weeks\nafter the end of a pay period, depending on the payroll provider and the need to record payroll\nadjustments. Upon converting the data into a format that can be uploaded into Oracle, the ARC\npayroll accountant reconciles the converted data to the original raw data from the third-party\nprocessors. The ARC payroll accountant processes payroll entries using a batch interface that\nposts summary payroll data to Oracle. The payroll accountant reviews and corrects transactions\nthat reject in the interface. A Discoverer report is used to identify those records that reject. The\npayroll accountant contacts the customer for resolution of erroneous accounting codes, funding\nissues, or other circumstances that would prevent the payroll from being recorded. Until the\nerrors are cleared, the data are viewed as invalid and will not be able to be transferred to Oracle.\nIf the third-party payroll processor provides adjustment files for additional transactions between\nmain payroll files, the ARC payroll accountant follows the same procedure for processing these\nfiles.\n\nReconciliation \xe2\x80\x93 Payroll Activity\nPayroll accountants prepare a monthly reconciliation of payroll disbursements recorded in Oracle\nand payroll disbursements reported by the third-party payroll processors. The payroll accountant\ninvestigates and resolves any differences identified. This reconciliation is reviewed and approved\nby the supervisor or manager of ARC\xe2\x80\x99s Central Accounting Branch. In addition, ARC branch\naccountants prepare monthly GWA Account Statement reconciliations from the general ledger to\nTreasury\xe2\x80\x99s record. Any reconciliation differences identified by the branch accountant that\nprepares the GWA Account Statement reconciliation requiring correction are posted by another\naccountant or accounting technician in a subsequent accounting period. ARC supervisory\naccountants review and approve the GWA Account Statement/Fund Balance with Treasury\nreconciliations.\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Verify that payroll processed by third-party providers is complete and accurate.\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that payroll disbursements are\n    complete and accurate.\n\n\n\n\n                                               39       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures for the processing of payroll disbursements and determined that\n    consistent use of the procedures by staff was likely to help prevent the inaccurate,\n    unauthorized, or untimely entry of payroll disbursements into ARC information systems.\n\xe2\x80\xa2   Inspected an interface error report and determined that during the interface, input files were\n    checked for errors and interface error reports were created if errors were identified and\n    determined that the data would not interface until errors were corrected.\n\xe2\x80\xa2   For a selection of months, inspected payroll reconciliations and determined that\n    reconciliations were performed and that any exceptions were resolved.\n\xe2\x80\xa2   For a selection of months, inspected GWA Account Statement, Undisbursed Appropriation\n    Account Ledger reconciliations and determined that reconciliations were performed and that\n    any exceptions were resolved\n\nNo exceptions noted.\n\n\n\n\n                                               40        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cControl Objective 7 - USSGL\n\nControls provide reasonable assurance that transactions are processed in accordance with the U.S.\nStandard General Ledger (USSGL) and Treasury Financial Manual (TFM) guidance.\n\nDescription of Controls\n\nARC has documented procedures for processing transactions consistent with the USSGL.\n\nTransaction Set-up Controls\nARC records proprietary and budgetary accounting entries using the USSGL at the transaction\nlevel. This is accomplished using a combination of transaction code, system setup, and data entry\nin Oracle. In addition, Oracle cross-validation rules have been established to prevent transactions\nfrom being processed to inappropriate USSGL accounts.\n\nARC follows the TFM to establish accounting transaction posting models in Oracle. System\nadministrators require written authorization from a supervisor or manager to establish new\nposting models for transaction processing.\n\nOn an annual basis, ARC supervisors and managers review the USSGL Board\xe2\x80\x99s proposed and\napproved additions, deletions and/or modifications to USSGL account titles and/or account\ndescriptions to determine their applicability to ARC customer agencies. Once the changes to the\nUSSGL are approved by Treasury\xe2\x80\x99s FMS and the new TFM guidance is issued (generally mid-\nsummer), ARC supervisors and managers communicate the appropriate changes to system\nadministrators to ensure the accounting transaction posting models are revised. All USSGL\nrelated system modifications are completed by the start of the first accounting period of the new\nfiscal year.\n\nGeneral Ledger Account Reconciliations\nAccountants perform general ledger account reconciliations (utilizing accounting system\nsubledgers or Excel spreadsheets) on balance sheet accounts except where account subledgers are\nnot made available to ARC, for supervisory review, to ensure related accounting transactions\nwere posted to the appropriate general ledger accounts. ARC accountants prepare budgetary to\nproprietary account relationship reconciliations on a monthly basis, for supervisory review, to\nensure complete general ledger account posting for all recorded transactions. An accounting\ntechnician or an accountant corrects invalid out-of-balance relationships.\n\nFACTS I Edit Checks\nARC enters pre-closing adjusted trial balances for its non-Treasury customers, except for the\nDepartment of Homeland Security, into the FACTS I system at the Treasury appropriation/fund\ngroup level using USSGL accounts and attributes. Treasury\xe2\x80\x99s FMS maintains the FACTS I\nsystem. The FACTS I system checks that the trial balance has, in aggregate, equal debit and\ncredit balances before the trial balance can be submitted in FACTS I. FACTS I also flags\nabnormal balances for scrutiny by an ARC accountant. After entering the adjusted trial balances\ninto FACTS I, ARC reviews the submitted balances and resolves any invalid abnormal balances\nor out-of-balance conditions. Once any necessary corrections have been made, the accountant\nsubmits the adjusted trial balance into the FACTS I system.\n\nFACTS II Edit Checks\nARC submits the FACTS II files for its non-Treasury customers, except for the Department of\nHomeland Security, using a bulk file upload. Accountants create the bulk files by running a job\n\n                                              41        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cwithin the Oracle application. Oracle requires the data to pass several edit checks before it will\ncreate the bulk file. ARC manually uploads the FACTS II files into the FACTS II system.\nTreasury\xe2\x80\x99s FMS maintains the FACTS II system. The FACTS II system performs USSGL edit\nchecks and rejects any files that fail the edit checks. ARC investigates and resolves any files\nrejected by the FACTS II system.\n\nTreasury Information Executive Repository (TIER) Validation Checks\nFor ARC\xe2\x80\x99s Treasury and Department of Homeland Security customer agencies, FACTS I and II\nreporting requirements are met using TIER. TIER is Treasury\xe2\x80\x99s departmental data warehouse\nthat receives monthly uploaded financial accounting and budgetary data from the bureaus and\nother reporting entities in a standardized format. Data submitted to TIER by an ARC accountant\nis validated based on system-defined validation checks.\n\nARC has customized programs in Oracle that extract the accounting and budgetary data in the\nrequired TIER format. TIER has a standardized chart of accounts that is compliant with USSGL\nguidance issued by the Department of the Treasury. FACTS II edit checks are incorporated in the\nTIER validation checks. After submitting the adjusted trial balances into TIER, ARC accountants\nreview the edit reports and resolve any invalid attributes or out-of-balance conditions. ARC\naccountants document this review by completing the TIER Submission Checklist, which is\nfurther reviewed by a supervisor.\n\nFinancial Statement Crosswalks\nARC accountants prepare a Balance Sheet, Statement of Net Cost and Statement of Budgetary\nResources for all customer agencies that are covered by the Chief Financial Officer Act and the\nAccountability of Tax Dollars Act of 2002. The statements are submitted each quarter to the\nDirector of the Office of Management and Budget (OMB) and the Congress. Additionally, ARC\naccountants prepare the Statement of Changes in Net Position, and Statement of Custodial Activity\n(when applicable) for all customer agencies. ARC accountants compare TFM financial statement\ncrosswalks to ARC\xe2\x80\x99s internally prepared financial statements to ensure compliance with the\nreporting requirements. ARC investigates and resolves any differences between TFM financial\nstatement crosswalks and ARC\xe2\x80\x99s internally prepared financial statements.\n\nFinancial Statement Review\nFor Department of Treasury and Department of Homeland Security customer agencies, quarterly\nfinancial statements are produced by departmental systems using the data submitted in TIER.\nQuarterly consolidated financial statements are submitted to the Director of OMB and the\nCongress by the Department. ARC accountants compare the quarterly financial statements to\nARC\xe2\x80\x99s internally prepared financial statements, which is further reviewed by a supervisor, and\nany differences are resolved.\n\nFinancial Statement Variance Analysis\nFor both Department of Treasury and Department of Homeland Security customer agencies,\naccountants prepare a quarterly financial statement variance analysis. Explanations for variances\nthat exceed Department materiality thresholds must be provided to the Department. The\nDepartment submits a consolidated analysis to OMB. The bureau variance analysis is reviewed\nby an ARC supervisory accountant and approved by the bureau CFO or designee prior to\nsubmission to the Department. The Homeland Security bureau variance analysis is also certified\nby an ARC manager as part of the CFO certification letter.\n\nFor non-Treasury and non-Homeland Security customer agencies, accountants prepare a quarterly\nfinancial statement variance analysis for interim periods based on the guidance in OMB Circular\n\n                                              42       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cA-136. Explanations for variances that exceed the OMB Circular A-136 guidelines are provided\nto OMB. The variance analysis is reviewed by an ARC supervisory accountant prior to\nsubmission to OMB.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of transactions consistent with the USSGL\n    and determined that the procedures were documented.\n\xe2\x80\xa2   Observed the processing of a transaction to an inappropriate USSGL account and noted the\n    existence of Oracle cross-validation rules.\n\xe2\x80\xa2   Inspected a list of users with access to change posting models and determined that the system\n    administrators had access to administer posting models.\n\xe2\x80\xa2   For a selection of posting model changes and additions, inspected ARC supervisory approval\n    of the changes and inspect TFM/USSGL guidance and determined that the changes and\n    additions were authorized and that they were in agreement with TFM/USSGL guidance.\n\xe2\x80\xa2   Inspected evidence of the annual review of USSGL account titles and descriptions and\n    determined that the annual review was performed by ARC supervisors and managers.\n\xe2\x80\xa2   For a selection of months, inspected monthly general ledger account reconciliations and\n    determined that the reconciliations were performed, any exceptions were resolved and the\n    reconciliation was reviewed by an ARC supervisor.\n\xe2\x80\xa2   Inspected a selection of FACTS I edit check reports and determined that FACTS I were\n    completed, reviewed, and any issues were resolved.\n\xe2\x80\xa2   Inspected a selection of Reporting and Reconciliation Internal Control Checklists and\n    determined that the FACTS I was completed.\n\xe2\x80\xa2   Observed the staff run the Oracle job that creates the FACTS II bulk data upload file and\n    noted that the Oracle edit checks were applied to the data, and that the ARC accountant\n    resolved any exceptions.\n\xe2\x80\xa2   Inspected a selection of TIER Submission Checklists and determined that TIER submissions\n    were reviewed by an ARC supervisor.\n\xe2\x80\xa2   For a selection of quarters for a selection of customer agencies, inspected ARC comparison of\n    FMS financial statement crosswalk with ARC\xe2\x80\x99s internally prepared financial statements and\n    determined that ARC complied with reporting requirements.\n\xe2\x80\xa2   Inspected results ARC investigation of Treasury\xe2\x80\x99s financial statement crosswalk and ARC\xe2\x80\x99s\n    internally prepared financial statements and determined that ARC investigated and resolved\n    any differences.\n\xe2\x80\xa2   Inspected a quarterly selection of financial statement reviews and determined that the\n    reconciliations were reviewed and approved by an ARC supervisor.\n\xe2\x80\xa2   For a selection of months, inspected reconciliation of financial statements prepared by\n    Treasury to internally prepared financial statements and determined that reconciliations were\n    performed, any exceptions were resolved and they were reviewed by a supervisory accountant\n    before submission.\n\nNo exceptions noted.\n\n                                              43        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 8 - Accruals\n\nControls provide reasonable assurance that the period-end accruals are authorized, processed\ntimely, reviewed, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of accruals.\n\nCustomer Review of Revenue and Expense Accruals\nAccounting technicians record period-end accruals for goods and services provided/received, but\nnot billed/invoiced, in Oracle based on instruction provided from the customer agency.\n\nFor all customer agencies, except the Treasury Franchise Fund, accounting technicians record\nperiod-end accruals for goods and services provided, but not billed in the accounting system\nthrough standard accrual transactions. For Treasury Franchise Fund customer agencies,\naccounting technicians record period-end accruals for goods and services provided but not billed\nin Oracle using an automated journal entry process. The amounts recorded are based on\ninformation provided by e-mail from the customer agency. Accounting technicians enter\ninformation received from the customer agency into a spreadsheet template. An accountant\nreviews the spreadsheet and converts it into a data file that is automatically loaded into Oracle\nand reviewed and approved by a supervisory accountant.\n\nNon-Invoice Accrual Reviews\nAccountants record non-invoice related expense accruals, such as workers' compensation and\nleave liability in Oracle. The workers' compensation accruals are based on historical trend\nanalysis and/or actual costs incurred. The leave liability accruals are based on data provided by\nthe customer agency's payroll provider or Human Resources office. For applicable customer\nagencies, the ARC payroll accountant processes payroll leave accrual entries using a batch\ninterface that posts summary payroll data to Oracle. For non-batch interfaced leave accruals, a\nsupervisory accountant reviews the accrued employee benefits to determine that the accrual is\nprocessed and posted.\n\nScorecard Review\nTreasury's monthly data scorecard verifies that certain non-invoice related expense accruals are\nrecorded on at least a quarterly basis. Supervisory accountants validate the quality of TIER data\nby reviewing an ARC accountant-prepared TIER Submission Checklist, which includes\nverification that non-invoice related expense accruals are posted at least quarterly. Additionally,\nboth ARC supervisory accountants and managers maintain the Treasury\xe2\x80\x99s monthly data quality\nscorecard to be able to review as needed in order to monitor the quality of the data submitted.\n\nGeneral Ledger to Subledger Reconciliation\nOn a monthly basis, ARC accountants prepare a reconciliation of revenue and expense accrual\nbalances in the general ledger to the subledger detail, which is reviewed by a supervisor.\nAccountants reconcile only billed revenue accruals since unbilled revenue accruals are recorded\ndirectly in the general ledger. Any differences identified are corrected by an accounting\ntechnician or accountant in the subsequent accounting period.\n\n\n\n\n                                              44        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cBudget Execution System Controls\nCustomer agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the SF132)\n    \xe2\x80\xa2 Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. Decisions on control\nsettings that permit or prevent spending beyond other budget plan levels are made by the\ncustomer agency. System controls are applied at the fund level after passage of appropriation\nlegislation and a high-level budget is loaded. Upon receipt and input of a detailed financial plan,\ncontrols will be established at the level dictated by the customer agency.\n\nBudget execution settings are determined by the customer agency and input into Oracle by the\nCSB. System settings are reviewed with the customer agency on an annual basis. Budget plans\nare input into Oracle by ARC staff, based upon budget plans provided by customer agencies.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on revenue and\nexpense accruals. ARC has developed and implemented a standard document-numbering scheme\nto avoid duplicate document processing and to enable readers of ARC reports to better identify\nand/or determine the nature of transactions processed by ARC. When an ARC user attempts to\nenter a transaction identification number that already exists, Oracle issues an error message that\nalerts the user of the duplication.\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Review open accrual reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Approve and send revenue and expense accruals to ARC in a timely manner.\n\xe2\x80\xa2   Communicate customer agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures for the processing of accruals and observed ARC staff\n    processing accruals, and noted that the processing was in accordance with the procedures.\n\xe2\x80\xa2   For a selection of accruals, inspected documentation of Customer Agency authorization and\n    supervisory accountant review and determined that the accruals were authorized and reveiwed\n    appropriately.\n\n                                              45        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of months, inspected non-invoice batch payroll leave accruals and determined\n    that the files were sent to ARC for processing and posting of summary payroll data to the core\n    accounting system.\n\xe2\x80\xa2   For a selection of months, inspected non-invoice non-batch leave accrual and determined that\n    a supervisory accountant reviewed the manually calculated leave accruals to ensure they were\n    properly calculated and input into Oracle.\n\xe2\x80\xa2   For a selection of months, inspected TIER Submission Checklists for evidence of ARC\n    supervisory review of TIER data and timeliness of submission and determined that\n    submissions had been reviewed.\n\xe2\x80\xa2   For a selection of months, inspected scorecard documentation and determined that the\n    scorecards were maintained for supervisory review if neccesary.\n\xe2\x80\xa2   For a selection of months, inspected reconciliation of revenue and expense accrual balances in\n    the general ledger to the sub ledger detail and determined that reconciliations were performed\n    and if any exceptions identified they were resolved.\n\xe2\x80\xa2   For a selection of customer agencies inspected evidence and determined that for the year they\n    specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle noted that Oracle automatically rejected the\n    entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                              46       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 9 \xe2\x80\x93 Government-Wide Reporting\n\nControls provide reasonable assurance that Government-wide reporting is performed in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the preparation of government-wide\nreports.\n\nFACTS I & II\nARC policies require the submission of FACTS I and FACTS II reports based on FMS\xe2\x80\x99s criteria\nfor these applications. All reports must pass all FACTS edit checks. For non-Treasury customer\nagencies, except the Department of Homeland Security, supervisory accountants review all\nsubmissions prepared by accountants and review all data to ensure all reporting deadlines are met.\nAll fourth quarter FACTS II submissions require certification by an ARC supervisor or manager,\nor other designated customer agency representative.\n\nTIER\nTreasury reporting entities are required to submit financial accounting and budgetary data each\nmonth to TIER,Treasury\xe2\x80\x99s data warehouse within Treasury\xe2\x80\x99s submission timeline which is\ngenerally the third business day of the subsequent month. The Department of Homeland Security\nreporting entities are required to submit financial accounting and budgetary data each month to\nTIER, Homeland Security\xe2\x80\x99s data warehouse, within Homeland Security\xe2\x80\x99s submission timeline\nwhich is generally the fifth business day of the subsequent month. To meet this requirement,\nARC performs the Oracle month-end close processes on the second business day after the end of\nthe month. Supervisory accountants validate the quality of TIER data to ensure reporting\ndeadlines are met by reviewing an accountant-prepared TIER Submission Checklist. The TIER\nSubmission Checklist consists of internally and Treasury department defined data quality\nstandards. In order to monitor the quality of the data submitted, supervisory accountants and\nmanagers review, as needed, Treasury\xe2\x80\x99s monthly data quality scorecard.\n\nEFT and Prompt Payment\nARC follows the Treasury guidelines for the EFT and Prompt Payment reports for its customers.\nARC accountants or lead accounting technicians prepare these reports on a monthly basis.\nSupervisory accountants review these reports before submission. Treasury also requires that a\ncustomer agency representative sign the Prompt Payment reports.\n\nFinancial Statements\nARC accountants prepare a Balance Sheet, Statement of Net Cost and Statement of Budgetary\nResources for all customer agencies that are covered by the Chief Financial Officer Act and the\nAccountability of Tax Dollars Act of 2002. The statements are to be submitted each quarter to\nthe Director of the OMB and the Congress. Additionally, ARC accountants prepare the Statement\nof Changes in Net Position and Statement of Custodial Activity (when applicable) for all customer\nagencies. ARC accountants compare TFM financial statement crosswalks to ARC\xe2\x80\x99s internally\nprepared financial statements to ensure compliance with the reporting requirements. ARC\ninvestigates and resolves any differences between TFM financial statement crosswalks and\nARC\xe2\x80\x99s internally prepared financial statements.\n\n\n\n\n                                              47       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cFinancial Statement Review\nFor Department of Treasury and Department of Homeland Security customer agencies, quarterly\nfinancial statements are produced by departmental systems using the data submitted in TIER.\nQuarterly consolidated financial statements are submitted to the Director of OMB and the\nCongress by the Department. ARC accountants compare the quarterly financial statements to\nARC\xe2\x80\x99s internally prepared financial statements, for supervisory review, and resolves any\ndifferences.\n\nFinancial Statement Variance Analysis\nFor both Department of Treasury and Department of Homeland Security customer agencies,\naccountants prepare a quarterly financial statement variance analysis. Explanations for variances\nthat exceed Department materiality thresholds must be provided to the Department. The\nDepartment submits a consolidated analysis to OMB. The bureau variance analysis is reviewed\nby an ARC supervisory accountant prior to submission to the Department. The Homeland\nSecurity bureau variance analysis is also certified by an ARC manager as part of the CFO\ncertification letter.\n\nFor non-Treasury and non-Homeland Security customer agencies, accountants prepare a quarterly\nfinancial statement variance analysis for interim periods based on the guidance in OMB Circular\nA-136. Explanations for variances that exceed the OMB Circular A-136 guidelines are provided\nto OMB with the quarterly financial statement submission. The variance analysis is reviewed by\nan ARC supervisory accountant prior to submission to OMB.\n\nReceivables\nARC Accountants prepare and submit a quarterly Report on Receivables Due from the Public for\nall customer agencies. The report is reviewed by an ARC supervisory accountant prior to\nsubmission to Treasury.\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Review the financial reports prepared by ARC to ensure that all reports prepared for external\n    use are complete, accurate, and submitted in a timely manner.\n\xe2\x80\xa2   Provide certification of FACTS II to ARC prior to ARC\xe2\x80\x99s FACTS II system certification.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures and determined that ARC had documented procedures for the\n    preparation of government-wide reports.\n\xe2\x80\xa2   For a selection of fourth quarter FACTS II submissions, inspected evidence of management\n    review and determined that they were reviewed and certified.\n\xe2\x80\xa2   For a selection of months, inspected TIER Submission Checklists for evidence of ARC\n    supervisory review of TIER data and timeliness of submission and determined that\n    submissions had been reviewed.\n\xe2\x80\xa2   For a selection of months, inspected scorecard documentation and determined that the\n    scorecards were maintained for supervisory review if neccesary.\n\n                                             48        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of months, inspected EFT and Prompt Payment reports and determined that\n    they were reviewed by a supervisory accountant before submission.\n\xe2\x80\xa2   For a selection of months, inspected reconciliations of financial statements prepared by FARS\n    to internally prepared financial statements and determined that reconciliations were reviewed\n    and that any differences were resolved.\n\xe2\x80\xa2   For a selection of months, inspected reconciliation of financial statements prepared by FARS\n    to internally prepared financial statements and determined that reconciliations were\n    performed, any exceptions were resolved and are reviewed by a supervisory accountant\n    before submission.\n\xe2\x80\xa2   For a selection of quarters, inspected the Report on Receivables Due from the Public\n    reconciliations and determined that reconciliations were documented.\n\xe2\x80\xa2   For a selection of quarters, inspected Reports on Receivables Due from the Public and\n    determined that they were reviewed by an ARC supervisory accountant.\n\n\nNo exceptions noted.\n\n\n\n\n                                              49       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 10 \xe2\x80\x93 Administrative Spending\n\nControls provide reasonable assurance that administrative spending controls are reviewed,\nreconciled, and documented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures related to administrative spending controls.\n\nBudget Execution System Controls\nCustomer agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n    \xe2\x80\xa2 Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2 Apportionment (Based upon the apportionment schedule on the SF132)\n    \xe2\x80\xa2 Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2 Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. Decisions on control\nsettings that permit or prevent spending beyond other budget plan levels are made by the\ncustomer agency. System controls are applied at the fund level after passage of appropriation\nlegislation and a high-level budget is loaded. Upon receipt and input of a detailed financial plan,\ncontrols will be established at the level dictated by the customer agency.\n\nBudget execution settings are determined by the customer agency and input into Oracle by the\nCSB. System settings are reviewed with the customer agency on an annual basis. Budget plans\nare input into Oracle by ARC staff, based upon budget plans provided by customer agencies.\n\nReconciliation \xe2\x80\x93 Budgetary and Proprietary Account Relationships\nARC accountants prepare budgetary to proprietary account relationship reconciliations on a\nmonthly basis, for supervisory review, to ensure complete general ledger account posting for all\nrecorded transactions. An accounting technician or an accountant corrects invalid out-of-balance\nrelationships.\n\nReconciliations \xe2\x80\x93 Fund Balance With Treasury (Activity and Balances)\nA Federal Agency\xe2\x80\x99s FBWT assists the agency in monitoring use of budget authority. Treasury\xe2\x80\x99s\nFMS provides the following reports to inform agencies of their FBWT and to assist agencies in\nreconciling their general ledger balances to FMS balances:\n    \xe2\x80\xa2 Statement of Differences (Disbursements/Deposits) provides the net difference between\n        FMS\xe2\x80\x99s control totals and the agency\xe2\x80\x99s FMS 224 submission.\n    \xe2\x80\xa2 GWA Account Statement (Transactions) provides increases and decreases to balances,\n        detailed at the submitting ALC levels.\n    \xe2\x80\xa2 GWA Account Statement (Account Summary) provides beginning balance, current\n        month net activity and ending balance.\n\n\n\n\n                                              50        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cARC accountants reduce the probability of month-end differences relating to disbursements by\ncomparing preliminary FMS 224 disbursement data to month-to-date data obtained from\nCA$HLINK II, GWA TDO Payments, and IPAC systems. Any differences identified by the\naccountant are corrected by an accounting technician or another accountant prior to the close of\nthe accounting period.\n\nARC accountants perform Statement of Differences reconciliations, for supervisory review, as\nwell as reconciliations of GWA Account Statement balances to general ledger FBWT balances.\nIf differences are identified during the reconciliations, ARC accountants determine the cause of\nthe difference and the action, if any, that is needed to resolve the discrepancy. If the difference\nrequires correction, an entry is posted in the accounting system by an accounting technician or\nanother accountant.\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Properly approve and accurately enter obligations into the procurement and travel systems in\n    the proper period.\n\xe2\x80\xa2   Approve and return relocation travel vouchers to RSB for processing in moveLINQ in a\n    timely manner.\n\xe2\x80\xa2   Send valid requests to record manual obligations to ARC in a timely manner.\n\xe2\x80\xa2   Review open obligation reports for completeness, accuracy, and validity.\n\xe2\x80\xa2   Restrict customer agency access to Oracle, Discoverer, PRISM, webTA, and GovTrip to\n    authorized individuals.\n\xe2\x80\xa2   Communicate customer agency required levels of budget and spending controls to ARC.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected the written procedures related to administrative spending, inspected reconciliations,\n    and observed ARC staff process transactions and determined that processing was in\n    accordance with the procedures.\n\xe2\x80\xa2   For a selection of customer agencies inspected evidence and determined that for the year they\n    specified their budget controls, were input into Oracle by CSB staff, and reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   For a selection of months, inspected budgetary to proprietary account relationship\n    reconciliations and determined that the reconciliations were performed and that any\n    exceptions were resolved.\n\xe2\x80\xa2   For a selection of months for a selection of customer agencies inspected evidence and\n    determined that the accountants perform reconciliations, of GWA Account Statement\n    balances to general ledger FBWT balances and supervisory review was completed.\n\n\nNo exceptions noted.\n\n\n                                               51       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 11 \xe2\x80\x93 Budget\n\nControls provide reasonable assurance that budget entries are documented and processed in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of budget entries.\n\nBudget Documentation\nFor customer agency appropriations subject to annual enactment, ARC enters an appropriation\nbased on the amount approved in the annual appropriations process, as supported by the\nautomatic amount calculated during a continuing resolution (CR), the enacted appropriation\nlegislation, or Treasury documentation. ARC enters an apportionment in Oracle from the\ncustomer agency's SF 132, Apportionment and Reapportionment Schedule. Upon receipt of the\ncustomer agency's budget plan or reprogramming guidance, ARC allocates funding to the\ncustomer agency's accounting values according to the detail provided by the customer.\n\nFor customer agency sources of funds that are not subject to the annual appropriations process,\nsuch as reimbursable or revolving accounts, ARC enters an appropriation and apportionment\nbased on the customer agency's SF 132 and recorded reimbursable activity for those accounts\nsubject to the apportionment process. ARC allocates funding to the customer agency's\naccounting values based on the customer agency's budget plan or recorded reimbursable activity.\nFor sources of funds not subject to both the annual appropriations process and the apportionment\nprocess, ARC enters an appropriation and apportionment at the fund level and allocates funding\nto the customer agency's accounting values based on the customer agency's budget plan, recorded\nreimbursable activity, or reprogramming guidance.\n\nBudget Execution System Controls\nCustomer agencies can establish and monitor both legally established and internally developed\nbudget plans in Oracle to ensure obligations are authorized and recorded. Budget plans can be\nestablished at the following levels of the accounting structure in Oracle:\n\n    \xe2\x80\xa2   Appropriation/Fund (Based upon the customer\xe2\x80\x99s appropriation)\n    \xe2\x80\xa2   Apportionment (Based upon the apportionment schedule on the SF132)\n    \xe2\x80\xa2   Cost Center (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2   Reporting Category (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2   Project Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n    \xe2\x80\xa2   Budget Object Code (Based upon the customer\xe2\x80\x99s internal budget plan)\n\nBudget execution system controls can be set to prevent spending beyond the budget plan amount\nor allow spending over the budget plan amount at any level of the budget plan. Spending beyond\nthe apportionment and appropriation levels (legal levels) are prohibited. Decisions on control\nsettings that permit or prevent spending beyond other budget plan levels are made by the\ncustomer agency. System controls are applied at the fund level after passage of appropriation\nlegislation and a high-level budget is loaded. Upon receipt and input of a detailed financial plan,\ncontrols will be established at the level dictated by the customer agency.\n\nBudget execution settings are determined by the customer agency and input into Oracle by the\nBusiness Technology Division\xe2\x80\x99s Customer Service Branch (CSB). System settings are reviewed\n\n\n                                              52        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cwith the customer agency on an annual basis. Budget plans are input into Oracle by ARC staff,\nbased upon budget plans provided by customer agencies.\n\nReconciliation \xe2\x80\x93 Budgetary and Proprietary Account Relationships\nARC accountants prepare budgetary to proprietary account relationship reconciliations on a\nmonthly basis, for supervisory review, to ensure complete general ledger account posting for all\nrecorded transactions. An accounting technician or an accountant corrects invalid out-of-balance\nrelationships.\n\nReconciliation \xe2\x80\x93 Fund Balance With Treasury\nA Federal Agency\xe2\x80\x99s FBWT assists the agency in monitoring budget authority. Treasury\xe2\x80\x99s FMS\nprovides the following reports to inform agencies of their FBWT and to assist agencies in\nreconciling their general ledger balances to FMS balances:\n\n    \xe2\x80\xa2   GWA Account Statement (Transactions) provides increases and decreases to balances,\n        detailed at the submitting ALC levels.\n    \xe2\x80\xa2   GWA Account Statement (Account Summary) provides beginning balance, current\n        month net activity and ending balance.\n\nARC accountants perform reconciliations, for supervisory review, of GWA Account Statement\nbalances to general ledger FBWT balances.            If differences are identified during the\nreconciliations, ARC accountants determine the cause of the difference and the action, if any, that\nis needed to resolve the discrepancy. If the difference requires correction, an entry is posted in\nthe accounting system by an accounting technician, another accountant or a budget analyst.\n\nDocument Numbering\nAll accounting entries recorded into Oracle require a transaction or document identification\nnumber. System controls prohibit the use of duplicate document numbers on budget documents.\nARC has developed and implemented a standard document-numbering scheme to avoid duplicate\ndocument processing and to enable readers of ARC reports to better identify and/or determine the\nnature of transactions processed by ARC. When an ARC user attempts to enter a transaction\nidentification number that already exists, Oracle issues an error message that alerts the user of the\nduplication.\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\n\xe2\x80\xa2   Review the financial reports provided by ARC to ensure that budget entries are complete and\n    accurate.\n\xe2\x80\xa2   Send approved budget plans to ARC in a timely manner.\n\xe2\x80\xa2   Communicate customer agency required levels of budget and spending controls to ARC.\n\xe2\x80\xa2   Communicate OMB apportionment status to ARC.\n\xe2\x80\xa2   Monitor usage of budget authority during periods of operation under a Continuing Resolution\n    to ensure that OMB directed apportionment limits are not exceeded.\n\n\n\n\n                                               53        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures for budget entries and determined that they were consistent with\n    the control description.\n\xe2\x80\xa2   For a selection of customer agencies, inspected evidence and determined that for the year they\n    specified their budget controls, they were input by CSB staff, and then reviewed by a\n    supervisor for completeness and accuracy.\n\xe2\x80\xa2   For a selection of months, inspected monthly general ledger account reconciliations and\n    determined that reconciliations were performed, any exceptions were resolved and the\n    recompilation was reviewed by a supervisor.\n\xe2\x80\xa2   For a selection of months for a selection of customer agencies, inspected evidence and\n    determined that the accountants performed reconciliations, of GWA Account Statement\n    balances to general ledger FBWT balances and supervisory review was completed.\n\xe2\x80\xa2   Observed an ARC staff member attempt to enter a transaction into Oracle with a document\n    number that had already been entered into Oracle and noted that Oracle automatically rejected\n    the entry of a duplicate document number.\n\n\nNo exceptions noted.\n\n\n\n\n                                              54       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 12 \xe2\x80\x93 Manual Journal Entries\n\nControls provide reasonable assurance that manual journal entries are authorized.\n\nDescription of Controls\n\nARC has documented procedures for staff to follow for the processing of manual journal entries.\n\nJournal Entry Approval\nA user\xe2\x80\x99s profile in Oracle determines whether or not the user can prepare and/or approve a\nmanual journal entry. Oracle system controls require that all manual journal entries be routed to\nan approver. Once a user has entered a journal entry, Oracle automatically routes the journal\nentry to their supervisor\xe2\x80\x99s approval queue.\n\nDocument Numbering\nOracle assigns all manual journal entries a specific journal category and journal source and ARC\nfollows a standard document numbering scheme. Hardcopy documentation supporting the\njournal entry accompanies each request for approval. The approver compares the hardcopy\ndocumentation to Oracle and approves the journal entry.\n\nCustomer Agency Control Considerations\n\n\xe2\x80\xa2   Send valid and approved requests to record manual journal entries to ARC in a timely\n    manner.\n\xe2\x80\xa2   Maintain and communicate to ARC, a list of individuals authorized to submit manual journal\n    entries that are initiated by the customer agency.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected written procedures for the processing of manual journal entries and determined that\n    procedures were documented.\n\xe2\x80\xa2   Inspected the list of Oracle users with the ability to create manual journal entries and\n    determined that they were assigned a supervisor in Oracle and were subject to the automated\n    approval work flow.\n\xe2\x80\xa2   Inspected the list of Oracle users with the ability to approve manual journal entries and the list\n    of users with the ability to enter manual journal entries and determined that users without a\n    specified supervisor did not have the ability to enter a manual journal entry.\n\xe2\x80\xa2   For a selection of journal entries, inspected hardcopy supporting documentation and related\n    Oracle journal entries and determined that the manual journal entries had proper hardcopy\n    documentation and were authorized.\n\n\nNo exceptions noted.\n\n\n\n\n                                                55        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cControl Objective 13 - Federal Investments\n\nControls provide reasonable assurance that Federal investments are authorized, reviewed,\nprocessed timely, reconciled, and properly documented in accordance with ARC policies and\nprocedures.\n\nDescription of Controls\n\nARC accountants process purchases of Federal investments in accordance with customer agency\ninstruction. Instructions include the type and amount of securities to be purchased or the amount\nof residual cash to be retained. An independent accountant reviews investment purchases.\n\nAll investment activity is recorded in general ledger through a daily interface between the Federal\nInvestment System (FedInvest) and Oracle. Accountants reconcile investment general ledger\naccounts to the FedInvest application on a monthly basis to ensure all investment activity has\nbeen properly recorded. A supervisor reviews investment account reconciliations.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   For a selection of customer agencies, inspected investment instructions and determined that\n    they were provided to ARC and defined the investment objectives for the agencies.\n\xe2\x80\xa2   For a selection of investment purchases, inspected evidence and determined that an\n    independent accountant reviewed the purchases.\n\xe2\x80\xa2   For a selection of months for a selection of customer agencies, inspected evidence and\n    determined that the accountants reconciled investment general ledger accounts to the\n    FedInvest application in a timely manner.\n\n\nNo exceptions noted.\n\n\n\n\n                                              56        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 14 \xe2\x80\x93 Suppliers and Banks Record Changes\n\nControls provide reasonable assurance that changes made to Suppliers and Banks records require\nappropriate system access and the changes are reviewed, approved, and documented in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures related to Suppliers and Banks record changes for staff to\nfollow.\n\nSegregation of Duties \xe2\x80\x93 Changes to Suppliers and Banks Records\nUser profiles set by Oracle system administrators, as authorized by the user\xe2\x80\x99s supervisor or\nmanager, ensure that only authorized Central Accounting Branch (CAB) employees are able to\nmake changes to Suppliers and Banks records. Authorized CAB employees who have Suppliers\nand Banks record change privileges do not have authorization to approve vendor payments in the\naccounting systems allowing for proper segregation of duties.\n\nChanges to Suppliers and Banks records that include taxpayer identification number, address, or\nbank routing/account number require:\n\n\xe2\x80\xa2   A source document (Central Contractor Registration (CCR) database or a document supplied\n    by the vendor or customer, when CCR is not applicable. \xe2\x80\x93 i.e., grants and loans, payroll\n    database, and/or e-mail, etc.), and\n\xe2\x80\xa2   Independent review.\n\nReview \xe2\x80\x93 Changes to Suppliers and Banks Records\nCAB employees review and process changes to Suppliers and Banks records and maintain the\nsupporting source documentation as described above.\n\nA reviewing CAB employee compares changes to Suppliers and Banks records from the Oracle\nsystem to the change request documents and initials the audit report indicating review. The\nreviewing employee does not have access to make changes to Suppliers and Banks records in\nOracle. Therefore, if errors were made, the reviewing CAB employee would provide a copy of\nthe source document to an authorized employee for correction and subsequent review.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures and determined that ARC had documented procedures for\n    Suppliers and Banks record changes.\n\xe2\x80\xa2   Inspected a list of users with access to update, modify, or delete Suppliers and Banks records\n    and determined that users had the appropriate privileges.\n\xe2\x80\xa2   Inspected a list of users with access to process vendor payments and determined that users\n    had the appropriate privileges.\n\xe2\x80\xa2   For a selection of changes to Suppliers and Banks records, inspected the reviewed report\n    signed by the reviewing employee and determined that the Suppliers and Banks record\n    changes were reviewed and approved.\nNo exceptions noted.\n\n                                              57        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cPROCUREMENT PROCESSING CONTROLS\n\nControl Objective 15 \xe2\x80\x93 Acquisitions and Contracts\n\nControls provide reasonable assurance that acquisitions are compliant with Federal laws,\nregulations and policies.\n\nDescription of Controls\n\nAll simplified acquisitions, commercial item contracts and Uniform Contract Format contract\nfiles contain a checklist of file contents, which is completed by a Contract Specialist. A\nstandardized contract file format is also maintained. The checklist and file contents are reviewed\nby a warranted Contracting Officer, as evidenced by their signature on the award document, to\nensure adequacy of documentation and compliance with laws, regulations and policies. Contract\nofficers are warranted by Treasury for certain dollar limits based on experience and training.\n\nTests of Operating Effectiveness and Results of Testing\n\n\n\xe2\x80\xa2   Inspected a selection of simplified acquisitions, commercial item contracts, and Uniform\n    Contracts and determined that a standard format was used and each included a checklist, with\n    the following exception noted:\n    \xe2\x80\xa2   Two of the 25 simplified acquisition files inspected did not include the checklist as\n        defined in the control description.\n\xe2\x80\xa2   For a selection of simplified acquisitions, commercial item contracts, and Uniform Contracts\n    inspected the checklists and determined that the documentation was reviewed by a Warranted\n    Contracting Officer.\n\xe2\x80\xa2   Inspected the contract officer\xe2\x80\x99s authorization levels and determined that Warranted\n    Contracting Officers had specified dollar limits.\n\nNo exceptions noted, except as described above.\n\n\n\n\n                                               58       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 16 \xe2\x80\x93 Sufficiently Funded Requisitions\n\nControls provide reasonable assurance that contract obligations are supported by approved\nrequisitions.\n\nDescription of Controls\n\nA Contract Specialist or Contracting officer ensures that each acquisition file is supported by a\nsufficiently funded requisition. Requisitions are approved by program officials through the\nPRISM system. Approval specifies that funds are available at the time of the requisition and are\nthen reserved for this purchase through a commitment. Approving officials are granted dollar\nthreshold approval rights by the customer agency. These thresholds are maintained in the PRISM\nsystem.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected a selection of acquisitions and evidence from PRISM and determined that the\n    requisitions were approved by program officials through the PRISM system.\n\xe2\x80\xa2   Inspected the approval limits in the PRISM system and determined that the use of the\n    approval limits in PRISM were configured properly.\n\n\nNo exceptions noted.\n\n\n\n\n                                             59        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cGENERAL COMPUTER CONTROLS\n\nControl Objective 17 \xe2\x80\x93 System Access\n\nControls provide reasonable assurance that systems are protected from unauthorized access in\naccordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC follows BPD policies and procedures that were developed, documented, disseminated, and\nthat are periodically reviewed and updated to facilitate the implementation of logical access\ncontrols. Additionally, procedures specific to Oracle, PRISM, webTA, GovTrip, and moveLINQ\nhave been documented. The logical access controls are based on Treasury and BPD policies and\nstandards (Treasury Information Technology Security Program TDP-85-01 Volume I), which, in\nturn, are based on the applicable Federal laws and regulations. These controls are the system-\nbased mechanisms that are used to specify which individuals and/or processes are to have access\nto a specific system resource and the type of access that is to be permitted. These controls limit\nuser access to information and restrict their system access to their designated level.\n\nOracle\nAccess to Oracle is restricted to users with a valid logon ID and password. Oracle\nlogons/sessions are encrypted to protect the information, making it unintelligible to all but the\nintended users. Sessions are protected using 128-bit Secure Sockets Layer (SSL) encryption.\nProspective Oracle users must complete, sign and submit an approved Administrative Resource\nCenter System Access Form for End User Applications to request access to Oracle. The end\nuser\xe2\x80\x99s signature indicates that they are familiar with the Privacy Act information and security\nrequirements and will comply with computer security requirements established by BPD and\nARC. The form defines the user\xe2\x80\x99s access specifications, which will allow the user to perform\nhis/her duties in Oracle. Changes to existing user profiles require an e-mail to be sent to the\nOracle Support Team mailbox by an authorized individual requesting the change, and defining\nwhat access should be added/deleted/changed. In order to remove a user\xe2\x80\x99s access, customer\nagencies submit a request for account termination. At that time, the Oracle user account is end-\ndated in the system to remove their access. Additionally, each day the Oracle Support Team\ngenerates and reviews a list of Oracle user accounts that have been inactive for 80 days. An e-\nmail is sent to the user warning them that their account will be end-dated if they maintain an\ninactive status for 90 days. After 90 days of inactivity, the user\xe2\x80\x99s account will be end-dated.\nAnnually, the ARC sends out a list of system users to each customer agency for review. The\nOracle Support Team updates the permissions for users based on the responses received from the\ncustomer agencies.\n\nOracle uses a multi-org functionality to strengthen security within the application. Each customer\nagency is setup as an operating unit in Oracle. When a new responsibility is created by the\nsystem administrators, it is mapped to a specific operating unit by a system profile option. The\nmulti-org functionality helps ensure that a user assigned to a responsibility (which in turn is\nmapped to an operating unit) can only see or enter data for that customer (or operating unit).\nOracle also provides a value set security feature, assigned to a responsibility, which further\ncontrols new data entry in the operating unit by limiting the list of values (LOV) for the\naccounting flexfield to those values specific to the customer (or operating unit).\n\nOnly CSB and QCB employees along with the SYSADMIN account controlled by Information\nTechnology Support Branch are assigned the System Administrator responsibility in the Oracle\n\n                                              60       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0capplication. The employees with the System Administrator responsibility have limited access to\nperform operational functions in Oracle, specifically limited to the month-end closing, during\ncustomer conversions (as directed by the functional teams) or emergency situations that can be\napproved by a supervisor or manager after the fact. Additionally, the individuals with Oracle\nSystem Administrator privileges perform multiple functions, including that of the Oracle Support\nteam members. As a result, these individuals periodically require temporary access privileges of\na functional user in order to address user inquiries. An edit check prevents an Oracle System\nAdministrator from adding or removing any responsibilities from their own user ID.\n\nThe CSB/QCB managers can be assigned the System Administrator responsibility in situations\nwhere the manager deems the access is required. This responsibility is granted on a temporary\nbasis with the proper request and approval and will be end-dated once the access is no longer\nnecessary. Project and Technical Services Branch (PTSB) can be assigned System Administrator\nresponsibility when management deems the access is required. This responsibility is granted on a\ntemporary basis with the proper request and approval and will be end-dated once the access is no\nlonger needed.\n\nAdministrative access to the underlying Oracle servers and databases is limited to server and\ndatabase administrators within the OIT and specific BTD employees.\n\nUser Identifications (IDs) are assigned to BPD employees consistent with their network logon ID.\nUser IDs for customer agency staff are assigned by an ARC system administrator. A temporary\npassword is assigned to all users by calling the Oracle Support Team. Oracle Support Team\npersonnel are responsible for verifying the caller\xe2\x80\x99s identity. Once the user logs onto the\naccounting system, they must establish their own unique password. An Oracle user\xe2\x80\x99s password\nmust meet unique password configuration, password complexity and password expiration criteria\nto ensure strong password security.\n\nOracle access attempt logs are reviewed daily by the PRISM Support Team to identify if users\nattempted to unsuccessfully access the system five or more times in the day. When five or more\nunsuccessful access attempts were made, an e-mail is sent to the user indicating that the access\nattempts were noted and requesting that the user notify ARC if the attempts were not made by the\nuser.\n\nPRISM\nAccess to PRISM is restricted to users with a valid logon ID and password. PRISM\nlogons/sessions are encrypted to protect the information, making it unintelligible to all but the\nintended users. Sessions are protected using 128-bit SSL encryption. Prospective PRISM users\nmust complete, sign, and submit an approved Administrative Resource Center System Access\nForm for End User Applications to request access to PRISM. The end user\xe2\x80\x99s signature indicates\nthat they are familiar with the Privacy Act information and security requirements and will comply\nwith computer security requirements established by BPD and ARC. The form defines the user\xe2\x80\x99s\naccess specifications, which will allow the user to perform his/her duties in PRISM. Changes to\nexisting user profiles require an e-mail to be sent to the PRISM Support Team mailbox by an\nauthorized individual at the customer agency, requesting the change, and defining what access\nshould be added/deleted/changed. In order to remove a user\xe2\x80\x99s access, customer agencies submit a\nrequest for account termination. At that time, the PRISM user is end-dated in the system to\nremove their access. Additionally, each day the Oracle Support Team generates and reviews a\nlist of PRISM user accounts that have been inactive for 80 days. An e-mail is sent to the user\nwarning them that their account will be end-dated if they maintain an inactive status for 90 days.\nAfter 90 days of inactivity, the user\xe2\x80\x99s account will be end-dated. Annually, the ARC sends out a\n\n                                              61       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0clist of users to each customer agency for review. Included for review are requisitioner and buyer\napproval limits by user. The PRISM Support Team updates the access according to the responses\nreceived from the customer agencies.\n\nUser access within PRISM is further limited by only allowing users to approve the addition or\nmodification of records to the operating units they have been assigned in Oracle. PRISM utilizes\nthe existing security features and functionality of Oracle. For example, new users are setup in\nOracle and assigned appropriate PRISM responsibilities. Within Oracle, the responsibilities are\nmapped to PRISM security groups. The user and security groups then flow to PRISM. Within\nthe PRISM application, users are assigned additional responsibilities as authorized on the access\nform.\n\nUpdates to a user\xe2\x80\x99s PRISM responsibilities are audited by independent employees within CSB.\nThe changes to functional access privileges are reviewed and compared to the changes to the\nBTD\xe2\x80\x99s Team Responsibilities matrix to determine whether or not the access privileges are\nappropriate. Follow up is performed to validate the addition of any privileges that are not on the\nBTD\xe2\x80\x99s Team Responsibilities matrix.\n\nThe System Administrator responsibility in PRISM is limited to certain employees requiring the\naccess for the performance of job duties. Administrative access to the underlying PRISM servers\nand databases is limited to server and database administrators within the OIT and specific BTD\nemployees\n\nUser IDs are assigned to BPD employees consistent with their network logon ID. User IDs for\ncustomer agency staff who utilize PRISM are assigned by an ARC system administrator. A\ntemporary password is assigned to all users by calling the PRISM Support Team. PRISM\nSupport Team personnel are responsible for verifying the caller\xe2\x80\x99s identity prior to establishing the\nuser\xe2\x80\x99s password. Once the user logs onto the system, they must establish their own unique\npassword. A user\xe2\x80\x99s password must meet unique password configuration, password complexity\nand password expiration criteria to ensure strong password security.\n\nPRISM access attempt logs are reviewed daily by the Oracle Support Team to identify if users\nattempted to unsuccessfully access the system five or more times in the day. When five or more\nunsuccessful access attempts were made, an e-mail is sent to the user indicating that the access\nattempts were noted and requesting that the user notify ARC if the attempts were not made by the\nuser.\n\nwebTA 1\nAccess to webTA is restricted to users with a valid logon ID and password. Access to webTA is\nprovided using 128-bit SSL encryption. All personnel require access to webTA in order to\ncomplete time and attendance submission. Users granted standard employee access privileges are\nnot required to submit an access form. However, users that require elevated access privileges\n(e.g., timekeeper, supervisor) are added to the webTA system following receipt of a supervisor-\napproved Administrative Resource Center System Access Form for End User Applications. The\nend user\xe2\x80\x99s signature indicates they are familiar with the Privacy Act information and security\nrequirements and will comply with computer security rules. The form defines the user\xe2\x80\x99s access\nspecifications, which will allow the user to perform his/her duties in webTA. Changes to existing\nuser profiles require a new access form to be submitted by the customer agency. Upon receipt of\nan Administrative Resource Center System Access Form for End User Applications requesting the\n\n1\n    The scope of the description of webTA controls applies only to full service webTA customers.\n\n                                                    62        Control Objectives, Related Controls, and\n                                                                       Tests of Operating Effectiveness\n\x0cdeletion of a webTA user or upon receipt of a timesheet coded as \xe2\x80\x9cFinal,\xe2\x80\x9d an HR Administrator in\nPLSB removes the assigned responsibilities. Annually, an HR Administrator sends out a list of\ntimekeepers and supervisors to each customer agency for the agency to use in performing a\nperiodic review of access. The list is limited to those timekeepers and supervisors who are not\ncurrently responsible for validating or approving time for an active employee at the customer\nagency. The review ensures that these employees who do not currently validate or approve time\non a regular basis still require their role as a timekeeper or supervisor.\n\nUser access within webTA is further limited by the role the user is assigned in the system (i.e.,\nEmployee, Timekeeper, Supervisor, etc.). The System Administrator and HR Administrator roles\nin webTA are limited to certain employees, ensuring no one serves in both administrator roles.\nPeriodically, there is a need for the System Administrator to research a problem in a production\ninstance using an HR Role. When such an event arises, the System Administrator can be\ntemporarily granted HR specific roles with supervisor approval. Administrative access to the\nunderlying webTA servers and databases is limited to server and database administrators within\nthe OIT.\n\nAn HR Administrator assigns user IDs to BPD employees consistent with their network logon ID.\nUser IDs for customer agency staff who utilize webTA as timekeepers or supervisors are also\nassigned by an HR Administrator. An HR Administrator also assigns a temporary password to\nusers by an e-mail. Once the user logs onto the system, they must establish their own unique\npassword. A user\xe2\x80\x99s password must meet unique password configuration, password complexity\nand password expiration criteria to ensure strong password security.\n\nGovTrip\nAccess to GovTrip is restricted to users with a valid logon ID and password. All users must\ncomplete the self-registration process. An account token will be forwarded to the user by the TSD\nhelpdesk after the self-registration information is verified for the user to activate their account.\nAfter registration is completed, a Travel Services Division (TSD) Administrator verifies the\nrequest of the user to grant access to GovTrip. Budget Reviewers and Approving Officials must\ncomplete, sign, and submit an approved Administrative Resource Center Online Applications\nAccess Request or have an approving official or agency travel contact authorize access via e-mail.\nThe end user\xe2\x80\x99s signature indicates they are familiar with the Privacy Act information, security\nrequirements, and will comply with computer security requirements established by BPD and\nARC. The form defines the user\xe2\x80\x99s access specifications, which will allow the user to perform\nhis/her duties in GovTrip. Changes to a user\xe2\x80\x99s identification (i.e., name change) or to the user\xe2\x80\x99s\nrole in GovTrip require an Administrative Resource Center Online Applications Access Request\nto be resubmitted or an e-mail from the user copying his/her approving official or agency travel\ncontact. Upon receipt of an Exit Clearance form or e-mail request, GovTrip access permissions\nare set to indicate that the user has terminated, by changing the user\xe2\x80\x99s organization level to a\nsuspense level. Additionally, the user ID is reset so that the user will no longer have access to\nutilize the account. On an annual basis GovTrip user accounts are reviewed by customer agency\nTravel Contacts. TSD staff creates reports of GovTrip users and distribute the reports to\ncustomer agency Travel for review and verification of the accounts.\n\nGovTrip has user access levels that separate permissions from highest to lowest into these\ncategories:\n    \xe2\x80\xa2 System administrators (NGMS only)\n    \xe2\x80\xa2 Application administrators; Designated TDSB staff\n    \xe2\x80\xa2 Application administrators; Customer Service Help Desk Tier 2, Designated TDSB staff\n\n\n                                               63       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c    \xe2\x80\xa2   Customer Service Help Desk Tier 1, Designated TDSB Staff\n    \xe2\x80\xa2   Approving Officials and Budget Reviewers\n    \xe2\x80\xa2   User; Traveler and Document Preparer\n    \xe2\x80\xa2   Terminated Users; Invitational Travelers\n\nAccess privileges are granted in accordance with the concept of least privilege required.\n\nUsers must establish their own unique GovTrip password. A user\xe2\x80\x99s password must meet unique\npassword configuration, password complexity and password expiration criteria to ensure strong\npassword security.\n\nmoveLINQ\nAccess to moveLINQ is restricted to authorized TSD users with a valid logon ID and password.\nThe process for requesting, establishing, issuing, and closing user accounts is controlled through\nthe use of the moveLINQ Online Application Access Request Form which requires supervisor\napproval. The form defines the user\xe2\x80\x99s access specifications, which will allow the user to perform\nhis/her duties in moveLINQ. Changes to a user\xe2\x80\x99s identification (i.e., name change) or to the\nuser\xe2\x80\x99s role in moveLINQ also require a moveLINQ Online Application Access Request Form or\ne-mail from the user\xe2\x80\x99s supervisor or manager. The user access list is reviewed by management\nevery time a change is made or six months from the last review, whichever is longer.\n\nUser IDs are assigned to authorized TSD employees consistent with their network logon ID. A\ntemporary password is assigned to moveLINQ users in person or by phone. Once the user logs\nonto moveLINQ, they must establish their own unique password which is encrypted. A user\xe2\x80\x99s\npassword must meet unique password configuration, password complexity and password\nexpiration criteria to ensure strong password security.\n\nmoveLINQ has user access roles that separate permissions from highest to lowest into these\ncategories:\n    \xe2\x80\xa2 Administrator\n    \xe2\x80\xa2 SAR (Non-Admin)\n    \xe2\x80\xa2 AUTH TSD Management\n    \xe2\x80\xa2 Relocation Coordinator Level 1\n    \xe2\x80\xa2 Relocation Coordinator Level 2\n    \xe2\x80\xa2 Tech \xe2\x80\x93 RITA Only\n    \xe2\x80\xa2 Special OA\n    \xe2\x80\xa2 Tech\n    \xe2\x80\xa2 Viewer\n\nAccess privileges are granted in accordance with the concept of least privilege required.\n\nSee Control Objective 19 for further discussion of the physical access control process.\n\n\nCustomer Agency Control Considerations\n\nCustomer agencies should establish controls to:\n\xe2\x80\xa2   Review and approve listing of users with current Oracle, PRISM, webTA, and GovTrip\n    access to ensure appropriateness.\n\n\n                                              64        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Ensure exiting employee timecards are coded \xe2\x80\x9cFinal\xe2\x80\x9d as this will help ensure that HR staff\n    deactivate the employee\xe2\x80\x99s webTA access.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected the Treasury Information Technology Security Program TDP-85-01 Volumes I and\n    II and determined that security policies and procedures were documented.\n\xe2\x80\xa2   Inspected Oracle user account management procedures and password procedures and\n    determined that the security policies and procedures were documented for Oracle.\n\xe2\x80\xa2   Inspected PRISM user account management procedures and password procedures and\n    determined that security policies and procedures were documented for PRISM.\n\xe2\x80\xa2   Inspected webTA user account management procedures and password procedures and\n    determined that security policies and procedures were documented for webTA.\n\xe2\x80\xa2   Inspected GovTrip user account management procedures and password procedures and\n    determined that security policies and procedures were documented for GovTrip.\n\xe2\x80\xa2   Inspected moveLINQ user account management procedures and password procedures and\n    determined that security policies and procedures were documented for moveLINQ.\n\xe2\x80\xa2   Inspected screen prints of a logon session and determined that Oracle users required a valid\n    login ID and password and that logins/sessions were encrypted with 128-bit SSL encryption.\n\xe2\x80\xa2   For a selection of new Oracle users, inspected user access request forms and determined that\n    the forms were completed, access authorized, and contained employees signature to denote\n    that they understood the privacy act requirements.\n\xe2\x80\xa2   For a selection of changes to Oracle user profiles, inspected authorizing documentation and\n    determined that updates to access rights were authorized.\n\xe2\x80\xa2   Inspected a selection of requests for termination of customer agencies employees\xe2\x80\x99 Oracle\n    access and evidence of when the account was end dated in the Oracle system and determined\n    that requests for termination of access from customer agencies was competed in a timely\n    manner.\n\xe2\x80\xa2   From the selection of inactive Oracle user account reviews, inspected evidence and\n    determined that the accounts inactive for 80 or more days were end dated in the system.\n\xe2\x80\xa2   For a selection of customer agencies, inspected evidence of the annual Oracle user access\n    review and determined that the annual reviews were performed.\n\xe2\x80\xa2   Inspected the list user accounts and access in Oracle and determined that each user\xe2\x80\x99s access\n    was restricted to distinct operating units or customer agencies.\n\xe2\x80\xa2   Inspected the user roles assigned to the Oracle System Administrators and compared them to\n    the BTD Allowable Responsibilities Table, and determined that the functional user\n    permissions were restricted commensurate with job responsibilities.\n\xe2\x80\xa2   Observed and inspected a screenshot of an Oracle System Administrator attempt to add\n    responsibilities to their user ID, and noted that System Administrators could not add\n    responsibilities to their user IDs.\n\n\n\n\n                                              65        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   For a selection of occurrences, inspected documentation authorizing the use of temporary\n    Oracle Administrator Access and determined that the access was documented, and approved\n    and revoked when no longer needed.\n\xe2\x80\xa2   Inspected the access control lists for the Oracle database and the host server and determined\n    that the function user permissions were restricted commensurate with job responsibilities.\n\xe2\x80\xa2   Inspected the Oracle user list and determined that the accounts followed the naming\n    convention.\n\xe2\x80\xa2   Inquired of the Supervisory Financial Systems Analyst and was informed that passwords were\n    distributed to new external users via telephone after confirmation of user identity.\n\xe2\x80\xa2   Inquired of the Supervisory Financial Systems Analyst and was informed that upon initial\n    login new accounts must establish a new password.\n\xe2\x80\xa2   Inspected Oracle profile options and determined that Oracle was configured to disconnect\n    sessions if they remained inactive for 30 minutes.\n\xe2\x80\xa2   Inspected Oracle profile options and determined that failed logins, password complexity,\n    generation, and length requirements were configured in accordance with ARC password\n    standards.\n\xe2\x80\xa2   For a selection of Oracle System Administrators and users, observed the password lifespan\n    days established for the individual users and noted that they were configured in accordance\n    with ARC password standards.\n\xe2\x80\xa2   For a selection of dates, inspected Oracle violation logs and evidence of review and\n    determined that violation logs were reviewed.\n\xe2\x80\xa2   Inspected a screen print of a logon session and determined that user ID and password were\n    required and that PRISM logins/sessions were encrypted with 128-bit SSL encryption.\n\xe2\x80\xa2   For a selection of new PRISM users, inspected user access request forms and determined that\n    the forms were completed and access was authorized.\n\xe2\x80\xa2   For a selection of changes to PRISM user accounts, inspected authorizing documentation and\n    determined that updates to the accounts were authorized.\n\xe2\x80\xa2   Inspected a list of separated employees and a list of PRISM users and determined that\n    separated employees did not retain access to the PRISM.\n\xe2\x80\xa2   For a selection of days, inspected the PRISM inactive reviews and determined that the\n    reviews were performed on a daily basis.\n\xe2\x80\xa2   Inspected evidence of distribution of PRISM user lists for review and determined that user\n    account lists were distributed on an annual basis for review.\n\xe2\x80\xa2   Observed and inspected a screenshot of the production PRISM system for a user and noted\n    that system was configured as defined in the control and in the New User Setup document.\n\xe2\x80\xa2   Inspected a selection of modified PRISM access reviews and determined that they were\n    reviewed by an independent reviewer.\n\xe2\x80\xa2   Inspected the access control lists for the PRISM backend database and the host server and\n    determined that the System Administrator and DBA privileges were commensurate with job\n    responsibilities.\n\n\n\n                                               66       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected the PRISM user list and determined that accounts appear to the naming convention,\n    using first initial and second initial if necessary and last name.\n\xe2\x80\xa2   Observed the PRISM Support Team member creating a new account in the PRISM system\n    and noted that upon first login the user was immediately directed to reset their password.\n\xe2\x80\xa2   Inspected PRISM password settings and determined that failed logins, password complexity,\n    aging, generation, and length requirements were configured in accordance with ARC\n    password standards.\n\xe2\x80\xa2   Inspected PRISM configuration settings and determined that the PRISM sessions were\n    configured to time-out if they remained inactive for 30 minutes.\n\xe2\x80\xa2   For a selection of dates, inspected PRISM violation logs and evidence of review and\n    determined that violations logs were reviewed.\n\xe2\x80\xa2   Observed a logon session and noted that the webTA logins/sessions required user name and\n    password.\n\xe2\x80\xa2   Observed a user log into webTA and noted that connections to webTA were encrypted\n    utilizing 128-bit SSL encryption.\n\xe2\x80\xa2   For a selection of new webTA users with elevated privileges, inspected user access request\n    forms and determined that the forms were completed and access was authorized.\n\xe2\x80\xa2   For a selection of changes to webTA user profiles, inspected authorizing documentation and\n    determined that updates to the accounts were authorized.\n\xe2\x80\xa2   Inspected a list of separated employees and a list of webTA users and determined that the\n    separated employees did not retain access to the webTA application, server, or database.\n\xe2\x80\xa2   For a selection of customer agencies, inspected evidence of distribution of a list of webTA\n    supervisors and timekeepers for annual user account review by the customer agency and\n    determined that annual reviews of access were completed.\n\xe2\x80\xa2   Inquired of ARC management and was informed the privileges provided within webTA were\n    provided based on the concept of least privilege.\n\xe2\x80\xa2   Inspected the BPD user privileges with webTA and determined that users were assigned in a\n    role based security configuration.\n\xe2\x80\xa2   Inspected the BPD user privileges within webTA and determined that users assigned HR\n    Administrators did not have Administrator access.\n\xe2\x80\xa2   Inspected the webTA user privileges for a selection of customer agencies and determined that\n    users were assigned in a role based security configuration, and if users assigned HR\n    Administrator did not have Administrator Access.\n\xe2\x80\xa2   Inspected the webTA user privileges for a selection of customer agencies and the BPD group\n    and the BTD phone list and determined that users with Administrator access were restricted to\n    employees in BTD group.\n\xe2\x80\xa2   Observed webTA for an initial login and noted that the user was required to create a new\n    password at first login.\n\xe2\x80\xa2   Inspected webTA password settings and determined that failed logins, password complexity,\n    aging, generation, and length requirements were configured in accordance with ARC\n    password standards.\n\n\n                                              67        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected webTA configuration settings and determined that webTA sessions were\n    configured to time-out if they remained inactive for 10 minutes.\n\xe2\x80\xa2   Observed a user access the GovTrip system and noted that a user needed to be authenticated\n    prior to accessing the system.\n\xe2\x80\xa2   For a selection of new GovTrip users, inspected user access request forms or e-mails and\n    determined that the forms or e-mails were completed and access was authorized.\n\xe2\x80\xa2   For a selection of changes to GovTrip users, inspected authorizing documentation and\n    determined that access changes were documented and access was authorized.\n\xe2\x80\xa2   Inspected a list of separated employees and a list of GovTrip users and determined that the\n    separated employees did not retain access to the GovTrip application.\n\xe2\x80\xa2   Inspected evidence of distribution of GovTrip user lists for review and determined that user\n    account lists were distributed on an annual basis for review.\n\xe2\x80\xa2   Inquired of ARC management and was informed that the privileges provided within GovTrip\n    were provided based on the concept of least privilege.\n\xe2\x80\xa2   Inspected the user privileges with GovTrip and determined that users were assigned in a role\n    based security configuration from highest to lowest.\n\xe2\x80\xa2   Observed a GovTrip user attempt to change their password to an invalid setting and\n    determined that the system automatically prevented the use of password that did not confirm\n    to the requirements, with the following exception noted:\n    \xe2\x80\xa2   The password settings in GovTrip did not enforce one aspect of the password complexity\n        requirements.\n        Remediation efforts were performed by BPD. A patch for the enforcement of password\n        configuration settings was placed into production on June 20, 2009. Observed an ARC\n        employee on June 22, 2009, attempt to change a password to an invalid setting and\n        determined that GovTrip automatically prevented the use of invalid password settings\n        that did not conform to the requirements.\n\xe2\x80\xa2   Observed a moveLINQ user login to the web based system and noted that they were required\n    to enter a user ID and password.\n\xe2\x80\xa2   Inspected a selection of reviewed moveLINQ user access lists and determined that the review\n    of access was performed.\n\xe2\x80\xa2   Inspected documentation for a selection of added moveLINQ users and determined that the\n    requests were documented and approved.\n\xe2\x80\xa2   Inspected a selection of moveLINQ modification requests and determined that the requests\n    were documented and approved.\n\xe2\x80\xa2   Inspected a selection of moveLINQ termination requests and determined that the removal of\n    access was documented and performed.\n\xe2\x80\xa2   Inspected the list of ARC separations and the active list of movLINQ accounts and\n    determined there were no accounts of terminated employees on the system.\n\xe2\x80\xa2   Inspected the current moveLINQ user list and determined that accounts were assigned with a\n    network IDs.\n\xe2\x80\xa2   Observed and noted that a moveLINQ user must reset their passwords upon initial login.\n\n                                              68        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Observed a moveLINQ user attempt to change their password to non-compliant passwords to\n    test length and complexity requirements and noted that the system prevented the changes.\n\xe2\x80\xa2   Observed a moveLINQ user enter the incorrect password 3 times and determined that the\n    system locked the user account.\n\xe2\x80\xa2   Inspected the user privileges with moveLINQ and determined that users were assigned in a\n    role based security configuration from highest to lowest.\n\nNo exceptions noted, except as described above.\n\n\n\n\n                                             69       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 18 \xe2\x80\x93 System Changes\n\nControls provide reasonable assurance that system application changes are tested, approved, and\ndocumented in accordance with ARC policies and procedures.\n\nDescription of Controls\n\nARC has documented procedures for testing, approving, and documenting changes. Prior to the\nOracle on Demand migrations, ARC System Administrators served as facilitators of the formal\nchange management process using iETSolutions Workcenter (iET), a COTS application,\nmaintained by BPD\xe2\x80\x99s Office of Information Technology, that provides change management,\nincident tracking, and service request logging capabilities. Beginning with the migration to\nOracle on Demand in April and May 2009, ARC System Administrators continue as facilitators\nof the formal change management process via MetaLink, Oracle\xe2\x80\x99s on Demand\xe2\x80\x99s web based\nservice request system.\n\nAdditional information regarding the Oracle migration is contained in the Information and\nCommunication section of this report.\n\nOracle and PRISM\nFor Oracle and PRISM, ARC uses iET/Metalink to document key steps for each change:\nincluding the initial request, approval, and implementation into production.\n\nARC processes standard software releases (i.e., patches) for both Oracle and PRISM.\nAdditionally, ARC processes customized application extension changes to Oracle. The ability to\nprocess and apply Oracle and PRISM changes is restricted to the database administrators under\nthe coordination of OIT/Oracle on Demand.\n\nARC System Administrators, as designees of the system owner, serve as the primary initiators of\nchange requests. The following is indicated in the request: all the affected parties, a description\nof the change, the applicable instance, and the requested date of the change. PTSB staff develops\ncustomizations in separate development instances. QCB staff test changes by running test scripts\nand analyzing the results. Upon successful completion of testing, QCB staff approves the change\nrequest and forward it to the performer of the change, OIT/Oracle on Demand database\nadministrators. After the approved request has been completed, the performer updates the request\nin iET/MetaLink accordingly, and the request is then closed.\n\nFor emergency changes to a production instance of Oracle or PRISM, ARC requires verbal\napproval from a designated on-call manager and from the Information Technology Support\nBranch Manager. ARC System Administrators document the emergency change in iET on the\nnext business day.\n\nwebTA\nARC has a webTA maintenance agreement in place with immixTechnology, a vendor for\nKronos\xe2\x80\x99 webTA product.\n\nFor webTA, ARC applies standard software releases (i.e., patches) only. Unlike Oracle, webTA\ndoes not have application extensions that are customizable by ARC.\n\nWhen a new webTA release is received from Kronos (the developer of webTA), QCB staff test\nthe new release in a separate test instance by running test scripts and analyzing the results. Upon\n\n                                              70        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0csuccessful completion of customer acceptance testing, the QCB staff forward a request for\napplying the new webTA release to production to the appropriate parties for approval. The ability\nto apply webTA releases is restricted to the database administrators under the coordination of\nOIT. The new webTA release is not applied to production until it has been successfully tested\nand approved.\n\nGovTrip\nGovTrip is hosted and maintained by NGMS at their facility. NGMS informs TSD of scheduled\nupdated system releases and the changes contained therein. System changes are also initiated by\nTSD Analysts who make enhancement requests to NGMS for changes to be included by NGMS\nin future scheduled release updates. TSD analysts test all GovTrip changes in a GovTrip\nacceptance test environment. If any of the changes included in a scheduled GovTrip release\nupdate fail TSD\xe2\x80\x99s acceptance testing, NGMS may delay implementation of the release update.\nTSD has documented procedures for testing GovTrip changes. Guidance is provided to customer\ncontacts on any changes.\n\nmoveLINQ\nmoveLINQ is hosted by OIT and maintained at BPD. mLINQS informs the RSB Manager and\nmoveLINQ System Administrators of scheduled updated system releases and the changes\ncontained therein. System changes are also initiated by moveLINQ System Administrators who\nmake enhancement requests to mLINQS for changes to be included by mLINQS in future\nscheduled release updates. moveLINQ System Administrators test all moveLINQ changes in a\nmoveLINQ test environment. If any of the changes included in a scheduled moveLINQ release\nupdate fail the System Administrators testing, RSB may delay implementation of the update until\nthe release passes the testing. RSB has documented procedures for testing and implementing\nmoveLINQ changes. RSB uses the Bureau\xe2\x80\x99s iETSolutions Workcenter (iET) to track changes to\nthe system.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Inspected written procedures and determined that ARC had documented procedures for the\n    testing, approving, and documenting changes.\n\xe2\x80\xa2   Inspected the access control lists for the Oracle database and the host server and determined\n    that the System Administrator and Database Administrator (DBA) privileges were\n    commensurate with job responsibilities.\n\xe2\x80\xa2   Inspected the access control lists for the PRISM back-end database and the host server and\n    determined that the System Administrator and DBA privileges were commensurate with job\n    responsibilities.\n\xe2\x80\xa2   Inspected the webTA system maintenance agreement and determined that the agreement\n    contained system maintenance provisions and that it was current.\n\xe2\x80\xa2   Inspected a selection of webTA upgrades and emergency changes processed in the iET\n    system and determined that the documentation of testing and approval was completed.\n\xe2\x80\xa2   Inspected the GovTrip system maintenance agreement and determined that the agreement\n    contained system maintenance provisions and that it was current.\n\xe2\x80\xa2   For a selection of GovTrip changes, inspected documentation of testing and determined that\n    the changes were tested prior to implementation in production.\n\n\n                                             71        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Inspected written procedures and determined that the testing of GovTrip changes were in\n    accordance with the procedures.\n\xe2\x80\xa2   Inspected the moveLINQ system maintenance agreement and determined that the agreement\n    contained system maintenance provisions and that it was current.\n\xe2\x80\xa2   For a selection of moveLINQ changes, inspected documentation of testing and determined\n    that changes were tested prior to implementation in production.\n\xe2\x80\xa2   Inspected written procedures for testing moveLINQ changes and determined that change\n    procedures were formally documented.\n\xe2\x80\xa2   Observed iET and noted that the system was designed to retain the necessary change\n    management documentation and noted when a change to iET was made.\n\xe2\x80\xa2   Inspected a selection of changes processed in the iET system and determined that the changes\n    were tested and approved prior to implementation to the production environment.\n\xe2\x80\xa2   Inspected a selection of emergency changes processed in the iET system and determined that\n    the emergency change process was followed and properly documented.\n\xe2\x80\xa2   Inspected the Oracle on Demand maintenance agreement and determined that the agreement\n    contained system upgrade and maintenance provisions.\n\xe2\x80\xa2   For a selection of Oracle on Demand changes via MetaLink,, inspected documentation of\n    testing and determined that the changes were tested prior to implementation in production.\n\nNo exceptions noted.\n\n\n\n\n                                             72        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 19 \xe2\x80\x93 Non-interruptive System Service\n\nControls provide reasonable assurance that interruptions due to operational failures are\nappropriately limited.\n\nDescription of Controls\n\nPrior to the Oracle on Demand migrations, Oracle, PRISM, webTA, and moveLINQ servers\nresided in OIT\xe2\x80\x99s data center. The hosting of Oracle and PRISM for two of the three ARC\ncustomer environments were migrated to Oracle on Demand with the cutover dates of April 14,\n2009 and May 26, 2009, respectively.\n\nAdditional information regarding the Oracle migration is contained in the Information and\nCommunication section of this report.\n\nBPD has documented policies and procedures for controlling physical access to BPD buildings\nand to the data center. These include:\n    \xe2\x80\xa2   Identification of sensitive/critical areas to which access needs to be restricted.\n    \xe2\x80\xa2   Physical access controls designed to detect unauthorized access.\n    \xe2\x80\xa2   Procedures for log reviews and investigation of violations.\nThe Security Branch issues employee badges, after performing security background checks and\nfingerprinting.\nEmployees are required to have badges available at all times upon request.\nTerminated employees are required to surrender identification badges and are removed from the\nPhysical Access Control System (PACS) system immediately.\nPhysical access to the OIT Data Center is restricted to authorized users only. An employee\nneeding access to the data center must have his/her Branch Manager request access. The requests\nare made through iET, a workflow system that is used to approve data center access. After the\nBranch Manager completes and submits the iET request form, requests are forwarded to OIT's\ndata center managers for approval in the iET. If OIT approves the request, the BPD Division of\nSecurity and Emergency Preparedness (DSEP) Security Branch grants access via PACS. Only\ndesignated DSEP specialists have access to PACS. Access to all sensitive areas requires use of a\nbadge. The use of a badge provides an audit trail that is reviewed by OIT management monthly\nfor potential access violations.     Any unauthorized access attempts are followed-up on by\ncontacting the individual\xe2\x80\x99s supervisor.\n\nIndividuals without badge access to the data center must be escorted to the command center and\nare required to sign in/out of a Visitor log to be issued a data center visitor badge. Visitor badges\ndo not have access to the data center, but rather designate the individual as a visitor. This log is\nmaintained at the main entrance to the data center.\n\nVendors that are authorized to have a badge are issued a one-day badge and must leave their\naccess badge onsite following completion of work in the data center. A log of One-Day badges is\nmaintained and reviewed daily.\n\nOIT performs a monthly review and reconciliation of individuals with data center access to\nindividuals authorized to have data center access. Additionally, OIT performs an annual review\nand recertification of individuals with access to the data center. If an individual is found to have\n\n                                                73        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0cunauthorized data center access, OIT will, based on the individual\xe2\x80\x99s need for access, make a\ndecision whether to request that DSEP remove their data center access or whether to provide\nauthorization for their access.\n\nThe Oracle application is monitored using Quest\xe2\x80\x99s Spotlight and Foglight. Performance\nmonitoring is provided by Fluke Networks SuperAgent. The networked applications also use\nMercury\xe2\x80\x99s Site Scope to monitor web sites, FTP servers, web servers, and some intrusion\ndetection every ten minutes. The availability of network infrastructure, such as switches and\nfirewalls, is monitored using HP Openview. OIT's data center is also physically monitored by\nAndover monitoring software. The Andover monitoring software provides continuous checking\nand alarming capabilities for temperature changes, water, and humidity threats. Fire detection\nand suppression systems are installed in the data center. Redundant battery-powered\nuninterruptible power supplies and a backup generator protect the data center from an unplanned\nloss of power. Redundant air conditioning systems protect data center computers from\noverheating in the event of air conditioning equipment failure. OIT provides operations, support,\ncapacity planning, performance monitoring, networking, security monitoring, development,\nchange management, back up, hardware acquisitions and maintenance, and installation support\nfor ARC.\n\nOracle\nThe hosting of Oracle for two of the three customer environments were migrated to Oracle on\nDemand. The cutover dates were April 14, 2009 and May 26, 2009, respectively.\n\nAfter the migration, Oracle on Demand performed the following controls for Oracle:\n\nFor C1, Oracle production archive logs are sent to an off-site contingency location every 30\nminutes. For C2, Oracle nightly production back-up is used to refresh the off-site contingency\nsite. The Oracle contingency sites are tested annually as part of the bureau-wide Business\nFunctionality Test (BFT) exercise.\n\nOracle on Demand performs daily backups of the database, application code tree, archive logs,\nand control files and store on a file server for 5 days. Additionally, semi-weekly backups are\nperformed of the database, application code tree, archive logs, and control files, and are stored on\ntape and retained for five weeks.\n\nSystem operations manuals are provided to each employee assigned system maintenance\nresponsibilities. In addition, Oracle support personnel have access to internal application setup\nand security documentation, as well as various manuals and documentation produced by the\nOracle Corporation. The Oracle Support Team is available for users to call if they are\nexperiencing difficulties with the system.\n\nFrom July 1, 2008 through the cutover dates, OIT performed the following controls for Oracle:\n\nAt no less frequently than 15-minute intervals, the Oracle production archive logs were sent to the\noff-site Oracle CONTINGENCY server via the Oracle archiver. The Oracle CONTINGENCY\nserver was tested annually as part of a bureau-wide BFT.\n\nOIT performs complete backups of the AppTier and database nightly. The databases are copied\nto the CONTINGENCY server nightly for failover and redundancy. OIT copies the AppTier to\nCONTINGENCY on an as needed basis. Additionally, OIT perform differential backups of the\nproduction system nightly and perform a full tape backup weekly. The daily backup tapes are\n\n                                               74       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0csent to an offsite facility on a weekly basis where they are kept for eight weeks. The monthly\nbackup tapes are then sent to a long-term offsite facility.\n\nSee Control Objective 20 for further discussion of the backup process.\n\nPRISM\nThe hosting of PRISM for two of the three customer environments have been migrated to Oracle\non Demand; The cutover dates were April 14, 2009 and May 26, 2009, respectively.\n\nAfter migration, Oracle on Demand performed the following controls for PRISM:\n\nFor C1, PRISM production archive logs are sent an off-site contingency location every 30\nminutes. For C2, PRISM nightly production back-up is used to refresh the off-site contingency\nsite. The PRISM contingency sites are tested annually as part of the bureau-wide (BFT) exercise.\n\nOracle on Demand performs daily backups of the database, application code tree, archive logs,\nand control files and store on a file server for 5 days. Additionally, semi-weekly backups are\nperformed of the database, application code tree, archive logs, and control files, and are stored in\ntape and retained for five weeks.\n\nPRISM support personnel have access to internal application setup and security documentation,\nas well as various manuals and documentation produced by Compusearch Corporation. The\nPRISM Support Team within CSB is available for users to call if they are experiencing\ndifficulties with the system.\n\nFrom July 1, 2008 through the cutover dates, OIT performed the following controls for PRISM:\n\nAt no less frequently than 15-minute intervals, the PRISM production archive logs were sent to\nthe off-site PRISM CONTINGENCY server via the Oracle archiver.                   The PRISM\nCONTINGENCY server was tested annually as part of a bureau-wide BFT.\n\nOIT performs differential backups of the production system nightly and performs a full tape\nbackup weekly. The nightly backup tapes are sent to an offsite facility on a weekly basis where\nthey are kept for eight weeks. The monthly backup tapes are then sent to a long-term offsite\nfacility.\n\nSee Control Objective 20 for further discussion of the backup process.\n\nwebTA\nwebTA support personnel have access to online documentation produced by Kronos. The Human\nResources Support Desk is available for users to call if they are experiencing difficulties with the\nsystem. QCB acts as a liaison between the Human Resources Support Desk and OIT to resolve\nsystem issues.\n\nOIT performs differential backups of the production system nightly and performs a full tape\nbackup weekly. The nightly backup tapes are sent to an offsite facility on a weekly basis where\nthey are kept for eight weeks. The monthly backup tapes are then sent to a long-term offsite\nfacility.\n\nSee Control Objective 20 for further discussion of the backup process.\n\n\n                                               75       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cGovTrip\nARC TSD staff investigates and attempts to resolve any system issues noticed by the ARC staff\nor reported to TSD by GovTrip users. When possible, TSD staff resolves GovTrip issues. If\nTSD staff cannot resolve an issue, the issue is escalated to NGMS. TSD notifies system users of\nthe length of the expected outage or malfunction and notifies them again when the issue is\nresolved.\n\nNGMS maintains the data in their Business Data Warehouse for six years and three months.\n\nmoveLINQ\nARC purchases new license agreements annually from mLINQS, which include all upgrades and\nservice packs, monthly per diem rates, Federal travel regulation updates, and unlimited technical\nsupport.\n\nmoveLINQ System Administrators investigate any system issues noticed by the OIT Database\nAdministrators or reported to them by moveLINQ users. When possible, moveLINQ System\nAdministrators resolve moveLINQ issues. If the administrator cannot resolve an issue, the issue\nis escalated to mLINQS, the vendor. The System Administrator notifies the users of the length of\nthe expected problem and notifies them again when the issue is resolved.\n\nAt no less frequently than 15-minute intervals, the moveLINQ database is automatically\nreplicated to the off-site moveLINQ CONTINGENCY server. The moveLINQ CONTINGENCY\nserver is tested annually as part of a bureau-wide BFT.\n\nOIT performs differential backups of the production system nightly and performs a full tape\nbackup weekly. The nightly backup tapes are sent to an offsite facility on a weekly basis where\nthey are kept for eight weeks. The monthly backup tapes are then sent to a long-term offsite\nfacility.\n\nSee Control Objective 20 for further discussion of the backup process.\n\nRSB maintains the data in the moveLINQ system for six years and three months.\n\nTests of Operating Effectiveness and Results of Testing\n\xe2\x80\xa2   Inspected physical access policies and procedures for the data center and determined that they\n    were documented and that they included the identification of sensitive/critical areas to which\n    access needs to be restricted, physical access controls designed to detect unauthorized access,\n    and procedures for log reviews and investigation of violations.\n\xe2\x80\xa2   Observed physical access controls of BPD buildings and the OIT data center and noted that\n    the security guards, video cameras, badge readers, and locked doors were in place and in\n    operation to restrict access.\n\xe2\x80\xa2   Observed persons entering BPD buildings and noted that persons were required to place any\n    materials, packages, bundles, etc. onto an x-ray machine, and additionally were required to\n    pass through a walkthrough metal detector.\n\xe2\x80\xa2   Observed persons entering BPD buildings and noted that an activation of the walkthrough\n    metal detector resulted in further screening by the security guard, utilizing a handheld metal\n    detector to identify the source of activation.\n\n\n                                               76        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Observed an entrant swipe their badge into the access control system and noted that the\n    controls system granted access to authorized personnel.\n\xe2\x80\xa2   Inspected a list of employees with card key access to the data center and tape storage room\n    from the card security system and an OIT phone list showing employees requiring access to\n    the data center and tape storage room and determined that physical access to the OIT data\n    center was restricted to authorized employees only.\n\xe2\x80\xa2   For a selection of employees and contractors granted access to the data center, inspected the\n    iET record for granting access and determined that access was approved by the data center\n    manager.\n\xe2\x80\xa2   For a selection of dates, inspected visitor logs and determined that visitor logs were used.\n\xe2\x80\xa2   For a selection of dates, inspected the daily shift logs and determined that an inventory of\n    vendor badges was performed.\n\xe2\x80\xa2   Inspected documentation of the monthly review of physical access privileges to the data\n    center and determined that access privileges were reviewed.\n\xe2\x80\xa2   Inspected documentation of the semi-annual review of physical access privileges to the data\n    center and determined that access privileges were reviewed.\n\xe2\x80\xa2   Inspected documentation of the annual recertification of physical access privileges to the\n    datacenter and determined that access privileges were recertified.\n\xe2\x80\xa2   Observed Quest\xe2\x80\x99s Spotlight and Foglight, Fluke Networks SuperAgent, and Mercury\xe2\x80\x99s Site\n    Scope, and noted that these applications were installed and in use by OIT staff.\n\xe2\x80\xa2   Observed variance reports, monitoring logs, and automatically generated alerts from Quest\xe2\x80\x99s\n    Spotlight and Foglight and noted that these applications provided monitoring over Oracle and\n    that OIT staff reviewed these reports, logs and alerts.\n\xe2\x80\xa2   Observed variance reports, monitoring logs, and automatically generated alerts from Fluke\n    Networks SuperAgent and noted that these applications provided monitoring over the general\n    performance of networked applications and that OIT staff reviewed these reports, logs and\n    alerts.\n\xe2\x80\xa2   Observed variance monitoring logs and automatically generated alerts from Mercury\xe2\x80\x99s Site\n    Scope and noted that this application provided monitoring over websites, FTP servers, and\n    web servers and that OIT staff reviews these logs and alerts.\n\xe2\x80\xa2   Observed HP Openview and noted that this application was installed and in use by OIT staff\n    and provided record of availability of network infrastructure.\n\xe2\x80\xa2   Observed the Andover monitoring application and noted that the application was installed and\n    used to monitor OIT data center environmental conditions.\n\xe2\x80\xa2   Observed the OIT data center and noted that sprinklers, hand-held fire extinguishers, and\n    raised floors were present.\n\xe2\x80\xa2   Inspected completed maintenance work orders and inspection reports for the uninterruptible\n    power supply (UPS), and the emergency power generator and determined that the generator\n    and UPS were maintained.\n\xe2\x80\xa2   Observed deployed environmental controls and noted that environmental controls were\n    present.\n\n\n                                               77        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Observed the Oracle system operations manuals and determined that the manuals were\n    available to support personnel.\n\xe2\x80\xa2   Observed internal application setup and security documentation, as well as various manuals\n    and documentation produced by Oracle and determined that Oracle support personnel had\n    adequate access to materials.\n\xe2\x80\xa2   Inspected the agreement with the offsite storage vendor and determined that a formal\n    agreement was in place for the offsite storage of digital data received on a weekly basis.\n\xe2\x80\xa2   Inspected the Oracle CONTINGENCY server test documentation records and determined that\n    the server was tested as a part of the bureau-wide Business Functionality Test.\n\xe2\x80\xa2   Inspected a daily selection of AppTier and database backup records and determined that\n    AppTier and databases were copied to the CONTINGENCY server nightly for failover and\n    redundancy.\n\xe2\x80\xa2   Inspected a nightly selection of the Oracle production system backups and determined that\n    nightly differential and weekly full tape backups had been performed.\n\xe2\x80\xa2   Observed Oracle picking and packing lists to note that daily backup tapes were sent to an\n    offsite facility on a weekly basis for eight weeks and that the monthly backup tapes were then\n    sent to a long-term offsite facility.\n\xe2\x80\xa2   Observed PRISM application setup and security documentation and system manuals and\n    noted that documentation was available to support personnel.\n\xe2\x80\xa2   Inquired of management and was informed that the PRISM Support Team fielded calls for\n    incidents related to PRISM.\n\xe2\x80\xa2   Inspected the PRISM system logs and determined that the logs documented the offsite storage\n    of data on a weekly basis.\n\xe2\x80\xa2   Inspected the PRISM CONTINGENCY server test documentation records and determined the\n    server was tested as a part of the bureau-wide Business Functionality Test.\n\xe2\x80\xa2   Inspected a nightly selection of the PRISM production system backups and determined that\n    nightly differential and weekly full tape backups were performed.\n\xe2\x80\xa2   Observed PRISM picking and packing lists and noted that daily backup tapes were sent to an\n    offsite facility on a weekly basis for eight weeks and that the monthly backup tapes were then\n    sent to a long-term offsite facility.\n\xe2\x80\xa2   Inspected ARC\xe2\x80\x99s maintenance agreement for webTA and determined that it was current.\n\xe2\x80\xa2   Inspected a nightly selection of the webTA production system backups and determined that\n    nightly differential and weekly full tape backups were performed.\n\xe2\x80\xa2   Observed webTA picking and packing lists noted that daily backup tapes were sent to an\n    offsite facility on a weekly basis for eight weeks and that the monthly backup tapes were sent\n    to a long-term offsite facility.\n\xe2\x80\xa2   Inspected the GovTrip incident escalation procedures and determined that the incident\n    escalation procedures were documented and available to support ARC staff personnel in\n    investigating and attempting to resolve any system issues.\n\xe2\x80\xa2   Inspected the GovTrip incident escalation procedures and determined that if a TSD staff\n    could not resolve an issue, the issue was escalated to NGMS.\n\n\n                                              78        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Observed GovTrip backup rotation logs and determined that offsite backup tape retention was\n    six years and three months.\n\xe2\x80\xa2   Inspected ARC\xe2\x80\x99s maintenance agreement with mLINQS and determined that the agreement\n    required mLINQS to provide software and technical support for moveLINQ.\n\xe2\x80\xa2   Inspected RSB System Administrators escalation procedures and determined that if an RSB\n    Administrator could not resolve an issue, the issue was escalated to mLINQS.\n\xe2\x80\xa2   Inspected the agreement with the offsite storage vendor and determined that a formal\n    agreement was in place for the offsite storage of moveLINQ data on a weekly basis.\n\xe2\x80\xa2   Inspected a yearly selection of moveLINQ CONTINGENCY server test documentation\n    records and determined that the server was tested as a part of the bureau-wide Business\n    Functionality Test.\n\xe2\x80\xa2   Inspected a nightly selection of the moveLINQ production system backups and determined\n    that nightly differential and weekly full tape backups were performed.\n\xe2\x80\xa2   Observed moveLINQ picking and packing lists and noted that daily backup tapes were sent to\n    an offsite facility on a weekly basis for eight weeks and that the monthly backup tapes were\n    then sent to a RSB long-term offsite facility for six years and three months.\n\n\nNo exceptions noted.\n\n\n\n\n                                             79       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 20 \xe2\x80\x93 Records Maintenance\n\nControls provide reasonable assurance that source document files are retained and safeguarded in\naccordance with ARC and BPD\xe2\x80\x99s Records Management Office policies and procedures.\n\nDescription of Controls\n\nThe hosting of Oracle and PRISM for two of the three customer environments have been\nmigrated to Oracle on Demand. The cutover dates were April 14, 2009 and May 26, 2009.\nEffective on these dates, data backups of Oracle and PRISM are now performed by Oracle on\nDemand. Oracle on Demand performs daily backups of the database, application code tree,\narchive logs, and control files and store on a file server for 5 days. Additionally, semi-weekly\nbackups are performed of the database, application code tree, archive logs, and control files and\nare stored on tape and retained for 5 weeks.\n\nAdditional information regarding the Oracle migration is contained in the Information and\nCommunication section of this report.\n\nBoth prior to and post Oracle on Demand migrations, OIT/Division of Technology Services\n(DTS) performs data backups of the moveLINQ application.\n\nFrom July 1, 2008 through the cutover dates, OIT performed the following controls:\n\nOIT/DTS performs backups of specified distributed systems and applications as identified by the\ndata owners. These backups are performed by the guidelines set forth in the Standard Operating\nProcedures. Once the backups have been completed, the media can be moved to an alternate\nfacility as long as the data is encrypted. Once media is identified as needing to be moved off-site,\nEnterprise Infrastructure Branch (EIB)/Data Archival and Retrieval Team (DART) is notified\nwith the specified media ID numbers and the desired retention period. EIB/DART will remove\nthe specified media from the tape library and send it to CAPS in sealed containers. The location\nof media is tracked by the various systems that create the images on the media using data backup\nutilities. In addition EIB/DART maintains copies of all contingency site transmittal sheets that\nlist the media sent in each shipment. Once a week media is picked up and returned by the off-site\nstorage provider. Long-term offsite storage is provided through a contract. Authority to recall\ntapes from off-site is limited to those individuals identified on a list maintained by the off-site\nstorage provider.\n\nBased on the requirements for the data in the accounting, procurement and relocation systems,\nbackup tapes are created daily, weekly, and monthly. Daily tapes are retained onsite for four\nweeks in the data center tape vault. Weekly and monthly tapes are stored offsite with a tape\nstorage vendor. Weekly tapes are retained for eight weeks offsite and monthly tapes for two years\nto indefinitely depending on the data contained. For the HR time clock system tapes are created\nweekly and stored off site for two to eleven years depending on the data.\n\nWhen tapes are returned from long-term storage, OIT reconciles the shipment that they have\nreceived to their records of the tapes expected to be returned.\n\nOn an annual basis, OIT performs a full physical inventory of all backup tapes that are in BPD\xe2\x80\x99s\npossession, both at the data center tape library in Parkersburg, West Virginia and at the BPD\xe2\x80\x99s\ncontingency site.\n\n\n                                               80        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cNetwork File Servers\nDifferential tape backups of network servers are created daily. On a weekly basis, OIT completes\na full back up of all ARC shared network files (active and inactive) to a data tape. OIT retains the\nbackups tapes for five weeks.\n\nRecord Storage\n\nFilesurf is a National Archives and Records Administration (NARA) approved records storage\nsystem used by ARC. Hard copy data records are kept in folders and/or binders on-site for one or\ntwo years. When hard copy data records are ready to be transferred off-site, they are either stored\nin boxes or they are scanned and stored electronically.\n\nData records that will be retained in hard copy are packed into boxes and sent to off-site storage.\nPrior to sending the boxes off-site, a description of the data being stored in the box, including the\nbox\xe2\x80\x99s latest document date, and approved retention authority is entered into FileSurf. BPD's\nRecords Management Office approves the box for storage and produces a label that is placed on\nthe box. The label includes a unique box number, bar code and box description. The destruction\ndate is calculated using the approved retention period and the latest document date.\n\nHard copy data records may also be scanned and saved electronically in FileSurf. PDF data\nrecords are stored in FileSurf folders based on the data's calculated destruction date using the\napproved retention period and the latest document date. This method provides for quicker access\nto archived data.\n\nFor relocation documents, active hard copy records are locked after hours. Inactive and closed\nhard copy records are maintained in a locked onsite storage room.\n\nTests of Operating Effectiveness and Results of Testing\n\n\xe2\x80\xa2   Observed the online tape management system and deteremined that data was encrypted prior\n    to being written to tape and sent off site.\n\xe2\x80\xa2   Inspected a list of individuals with authority to recall tapes from offsite storage and their job\n    descriptions and determined that authority to recall tapes was commensurate with job\n    responsibilities.\n\xe2\x80\xa2   Observed the online tape management system and contingency site Tape Manifests and noted\n    that tapes were kept at three separate locations.\n\xe2\x80\xa2   Inspected the agreement with the offsite storage vendor and determined that a formal\n    agreement was in place for the offsite storage of media.\n\xe2\x80\xa2   Observed Operations Personnel step through the process of opening received packages of\n    tapes from contingency site and noted that they compared the contents of the package to the\n    tape management records.\n\xe2\x80\xa2   Inspected full physical inventory documents of all backup tapes that were in BPD\xe2\x80\x99s\n    possession and determined that the annual tape inventory was performed.\n\xe2\x80\xa2   For a selected network file server used by ARC, inspected system-generated backup\n    schedules and backup logs and determined that daily differential backups and weekly full\n    backups of the file server were scheduled and successfully completed.\n\n\n                                                81        Control Objectives, Related Controls, and\n                                                                   Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Observed the location of the on-site hard copy records and noted that the hard copy records\n    were stored on-site in folders for specified time period.\n\xe2\x80\xa2   Inspected an example of hard copy records offsite shipment box and determined that\n    appropriate descriptions were documented.\n\xe2\x80\xa2   Inspected an example of hard copy records offsite shipment logs and determined that the hard\n    copy records were labeled and stored.\n\xe2\x80\xa2   Inspected hard copy records destruction logs and determined that the hard copy records were\n    labeled and stored.\n\xe2\x80\xa2   Observed the FileSurf system and noted that the records could be created, requested, and\n    saved electronically using FileSurf, which was maintained by IMB.\n\xe2\x80\xa2   Observed the location of the active hard copy data records and noted that the hard copy\n    records were locked after hours.\n\xe2\x80\xa2   Observed the location of the inactive hard copy data records and noted that the hard copy\n    records were stored in a locked onsite storage room.\n\xe2\x80\xa2   Inspected the list of authorized individuals that had access to the onsite storage room and\n    determined that only authorized individuals have access.\n\n\nNo exceptions noted.\n\n\n\n\n                                               82        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cIV. OTHER INFORMATION PROVIDED BY THE\n       BUREAU OF THE PUBLIC DEBT\n\n\n\n\n                83\n\x0cCONTINGENCY PLANNING\n\nSystem Back Up\nThe Oracle Federal Financials (Oracle) accounting system has a contingency plan managed by\nthe Administrative Resource Center (ARC). There is a formal ARC Business Continuity Plan\n(BCP), last updated January 2008. All essential Oracle functions will be performed at the\ncontingency site with the support of ARC employees. Monthly testing is conducted that focuses\non the restoration of systems, as well as critical data sets. Full disaster recovery testing is\nperformed on an annual basis in conjunction with the Bureau of the Public Debt\xe2\x80\x99s (BPD) Office\nof Information Technology (OIT) Data Center\xe2\x80\x99s Disaster Recovery Plan (DRP).\n\nOIT uses the NetBackup from Veritas to backup networked systems. Short-term storage of\nOracle tapes are maintained at a Contingency Alternate Processing Site (CAPS) facility. Long-\nterm tape storage is maintained at an offsite location.\n\nOIT performs changed data backups of the Oracle and PRISM systems daily and performs full\ndata backups weekly. Daily differential backup tapes are retained by OIT and stored in the Data\nCenter where they are recycled after four weeks. On a weekly basis, the full tape backups are\nplaced in turtle cases and sent to the Tape Vault at the CAPS facility. The tape backups are\nretained for approximately eight weeks and then shipped to the long-term storage facility where\nthey are retained for seven years.\n\nOIT performs complete backups of the production database and AppTier nightly. OIT copies\nthe AppTier to CONTINGENCY on an as needed basis. All critical datasets are retained for at\nleast three years at a long-term offsite facility.\n\nAt 15-minute intervals, the Oracle production system archive logs are copied to the off-site\nOracle CONTINGENCY server via the Oracle archiver. The Oracle CONTINGENCY server is\ntested annually as part of a bureau-wide BFT exercise.\n\nOIT performs differential backups of the webTA production system nightly and performs a full\ntape backup weekly. The nightly backup tapes are sent to an offsite facility on a weekly basis\nwhere they are kept for eight weeks. The monthly backup tapes are then sent to a long-term\noffsite facility.\n\nOIT performs differential backups of the moveLINQ production database nightly and performs a\nfull tape backup weekly. The nightly backups are sent to an offsite facility on a weekly basis\nwhere they are kept for eight weeks. The monthly backup tapes are sent to a long-term offsite\nfacility. At 15-minute intervals, the moveLINQ database is automatically replicated to the off-\nsite moveLINQ contingency server. The moveLINQ application is tested annually as part of a\nbureau-wide BFT exercise.\n\nNGMS is responsible for system backup of GovTrip and maintains data in their Business Data\nWarehouse for six years and three months.\n\nContinuity of Operations\nA fire alarm and sprinkler system that is managed, maintained, and tested by the building\nmanagement protects ARC and OIT facilities. Alarms are active 24 hours a day, 7 days a week,\nand are tied-to a local alarm services company for spontaneous notification. Sprinkler heads are\nlocated in the ceiling of each room of the buildings. This is a \xe2\x80\x9cwet pipe\xe2\x80\x9d (always charged with\nwater) system with individual heads that discharge water.\n\n                                             84              Other Information Provided by the\n                                                                     Bureau of the Public Debt\n\x0cIn the event the main building, where the Oracle system is maintained, becomes inoperable,\nnetwork operations would be relocated to the CAPS facility in accordance with the OIT data\ncenter\xe2\x80\x99s DRP. This facility employs a \xe2\x80\x9cwarm site\xe2\x80\x9d strategy for recovery of network operations.\nOracle has been classified as a critical application.\n\nAs part of the ARC BCP, should ARC facilities become unavailable, essential ARC personnel\nwill relocate to the CAPS facility to reestablish their essential functions. ARC will revert to\nmanual procedures until the networked accounting system is fully recovered at the CAPS facility.\n\n\n\n\n                                             85               Other Information Provided by the\n                                                                      Bureau of the Public Debt\n\x0c  V. INDEPENDENT AUDITORS\xe2\x80\x99 REPORT ON\nCOMPLIANCE WITH LAWS AND REGULATIONS\n\n\n\n\n                 86\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n                                   Independent Auditors\xe2\x80\x99 Report\n\nInspector General, U.S. Department of the Treasury\nDeputy Executive Director, Administrative Resource Center:\n\n\nWe have examined the accompanying description of the accounting processing and general\ncomputer controls related to the financial management services provided by the Administrative\nResource Center (ARC) of the Bureau of the Public Debt (BPD) as of June 30, 2009, and have\nissued our report thereon dated August 27, 2009. Our examination was performed in accordance\nwith standards established by the American Institute of Certified Public Accountants, and\napplicable Government Auditing Standards, issued by the Comptroller General of the United\nStates.\n\nOur examination included procedures to obtain reasonable assurance about whether (1) the\naccompanying description presents fairly, in all material respects, the aspects of BPD\xe2\x80\x99s controls\nthat may be relevant to a customer agencies\xe2\x80\x99 internal control as it relates to an audit of financial\nstatements; (2) the controls included in the description were suitably designed to achieve the\ncontrol objectives specified in the description, if those controls were complied with satisfactorily,\nand customer agencies and sub-service organizations applied the controls contemplated in the\ndesign of BPD\xe2\x80\x99s controls; and (3) such controls had been placed in operation as of June 30, 2009.\nThe control objectives were specified by the management of BPD. Our examination included\nthose procedures we considered necessary in the circumstances to obtain a reasonable basis for\nrendering our opinion.\n\nCompliance with laws and regulations applicable to ARC of BPD is the responsibility of BPD\nmanagement. As part of obtaining reasonable assurance about whether control structure policies\nand procedures tested were operating with sufficient effectiveness to achieve the related control\nobjectives during the period from July 1, 2008 to June 30, 2009, we performed tests of BPD\xe2\x80\x99s\ncompliance with certain provisions of applicable laws and regulations directly and materially\naffecting the accounting and general computer controls. We limited our tests of compliance to\nthese provisions and we did not test compliance with all applicable laws and regulations. The\nobjective of our examination was not, however, to provide an opinion on overall compliance with\nsuch provisions. Accordingly, we do not express such an opinion.\n\nThe results of our tests disclosed no instances of noncompliance that are required to be reported\nherein under Government Auditing Standards.\n\nThis report is intended solely for the information and use of the management of BPD, its\ncustomer agencies, the independent auditors of its customer agencies, the U.S. Department of the\nTreasury Office of Inspector General, the Office of Management and Budget, the Government\nAccountability Office, and the U.S. Congress, and is not intended to be, and should not be, used\nby anyone other than these specified parties.\n\n\n\n\nAugust 27, 2009\n\n\n                                                             87\n                                KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                member firm of KPMG International, a Swiss cooperative.\n\x0c"